Report, patch, repeat
Google’s Project Zero has announced another universal cross-site scripting (UXSS) vulnerability in WebKit, the popular browser engine.
“If an attacker can perform another page load right before returning from begin, the method will append an attacker-controlled string to a potentially cross-origin document.”
“The attack won't work if the cross-origin document has no active parser by the time begin returns,” Glazunov added.
“The easiest way to reproduce the bug is to call document.write from the victim page when the main parsing task is complete.”
The critical vulnerability was disclosed to Apple on June 12, following an earlier UXSS bug in WebKit, reported on June 4.
Both issues should have been resolved with an automatic security update. Users should ensure that their Apple operating systems are up to date and running the latest version of Safari.
YOU MAY ALSO LIKE Conjuring magic with XSS at Global AppSec 2019