VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 29, 2013· Updated Apr 29, 2026

CVE-2013-0974

CVE-2013-0974

Description

StoreKit in Apple iOS before 6.1 mishandles disabled JavaScript in Mobile Safari, allowing remote attackers to execute arbitrary JavaScript via a Smart App Banner.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

StoreKit in Apple iOS before 6.1 mishandles disabled JavaScript in Mobile Safari, allowing remote attackers to execute arbitrary JavaScript via a Smart App Banner.

Vulnerability

StoreKit in Apple iOS before 6.1 does not properly handle the disabling of JavaScript within the preferences configuration of Mobile Safari. This allows a web site with a Smart App Banner to bypass intended access restrictions and execute JavaScript code. Affected versions are iOS 6.0 and earlier on iPhone 3GS and later, iPod touch (4th generation and later), and iPad 2 and later [1].

Exploitation

An attacker can craft a malicious web site that includes a Smart App Banner. When a user with JavaScript disabled in Mobile Safari visits the site, the StoreKit component fails to respect the user's preference and still executes JavaScript code from the banner. No additional authentication or user interaction beyond visiting the site is required [1].

Impact

Successful exploitation allows the remote attacker to execute arbitrary JavaScript code in the context of the user's Safari session. This can lead to information disclosure, session hijacking, or other actions that JavaScript is capable of performing within the browser's security sandbox [1].

Mitigation

Apple released iOS 6.1 on January 28, 2013, which fixes this issue. Users should update their devices to iOS 6.1 or later [1].

References
  1. About the security content of iOS 6.1 Software Update - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Apple Inc./Iphone OS3 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=6.0.2
    • cpe:2.3:o:apple:iphone_os:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:6.0.1:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <6.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.