VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 19, 2016· Updated May 6, 2026

CVE-2016-1864

CVE-2016-1864

Description

The XSS auditor in WebKit fails to handle redirects in block mode, allowing information disclosure via crafted URLs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The XSS auditor in WebKit fails to handle redirects in block mode, allowing information disclosure via crafted URLs.

Vulnerability

The XSS auditor in WebKit, as used in Apple iOS before 9.3 and Safari before 9.1, does not properly handle redirects in block mode. This allows a remote attacker to obtain sensitive information via a crafted URL. [1][2]

Exploitation

An attacker can craft a URL that triggers the XSS auditor's block mode, but due to improper redirect handling, the auditor may leak information about the page content. The attacker needs to lure the victim to visit the malicious URL, possibly via a link or embedded content. No authentication is required.

Impact

Successful exploitation could lead to disclosure of sensitive information from the context of the vulnerable browser. The attacker gains information that the XSS auditor was intended to protect, potentially bypassing same-origin policy restrictions.

Mitigation

Apple addressed this issue in iOS 9.3 and Safari 9.1. Users should update to these versions or later. No workarounds are documented. [1][2]

References
  1. About the security content of iOS 9.3 - Apple Support
  2. About the security content of Safari 9.1 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.