Software using the popular browser engine WebKit to render web pages was temporarily vulnerable to a universal cross-site scripting attack (UXSS), Google’s Project Zero announced yesterday.
An XML stylesheet and use of XSLT was allowing for a cross-site object to remain despite the deletion of the document which references it, Google said.
“The problem is that by the time setDocument is called, newDocument might already have a reference to a Frame object, and if the method returns early, that reference will never get cleared by subsequent navigations,” Project Zero’s Sergei Glazunov wrote in a bug report.
WebKit is used in multiple operating systems, and is the default browser engine for Apple iOS. It helps run applications such as the Safari browser, Mail, and the Apple’s App Store.
The critical vulnerability was reported to Apple on June 4 – Google has a hardline 90-day patch deadline for vendors.