This update for xdg-utils fixes this security issues:
CVE-2017-18266: The open_envvar function in xdg-open did not validate
strings launching the program specified by the BROWSER environment
variable, which might allowed remote attackers to conduct
argument-injection attacks via a crafted URL (bsc#1093086).