Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to conduct content-spoofing attacks via a crafted URL, aka "Microsoft Browser Spoofing Vulnerability."
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-085
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-084