diff --git a/client/components/status/status.js b/client/components/status/status.js
index e3637752a..3d8b2283c 100644
--- a/client/components/status/status.js
+++ b/client/components/status/status.js
@@ -745,16 +745,26 @@ export default class Status extends React.Component {
       setPlanExhausted,
     } = this.props;
     const {setLoading} = this.context;
-    const {message, type, warningMessage, showUpgradeBtn} = event.data;
+    const {message, type, warningMessage, showUpgradeBtn} = event.data || {};
 
     // Only accept messages from trusted origins,
     // For more info read: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage#security_concern
-    const trustedOrigin =
-      event.origin === new URL(captivePortalLoginForm.action).origin ||
-      event.origin === window.location.origin;
+
+    let actionOrigin = null;
+
+    try {
+      if (captivePortalLoginForm.action?.trim()) {
+        actionOrigin = new URL(captivePortalLoginForm.action).origin;
+      }
+    } catch {
+      // invalid URL, ignore
+    }
+
+    const isTrustedOrigin =
+      event.origin === actionOrigin || event.origin === window.location.origin;
 
     if (
-      !trustedOrigin ||
+      !isTrustedOrigin ||
       !type ||
       // internet-mode will not contain message, but message
       // is required for authError and authMessage type