CVE-2016-7650
Description
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. The issue involves the "Safari Reader" component, which allows remote attackers to conduct UXSS attacks via a crafted web site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Safari Reader on iOS before 10.2 and Safari before 10.0.2 allows UXSS via a crafted web site, potentially leaking cross-origin data.
Vulnerability
A universal cross-site scripting (UXSS) vulnerability exists in the Safari Reader component of Apple iOS (prior to 10.2) and Safari (prior to 10.0.2). The bug allows a remote attacker to bypass the Same-Origin Policy when a user visits a crafted web site that triggers Safari Reader mode.
Exploitation
The attacker must host a malicious website and lure the victim to visit it using an affected Safari version. No additional authentication or user interaction beyond visiting the page is required; the UXSS payload executes in the context of the Safari Reader, potentially allowing the attacker to read or modify content from other origins.
Impact
Successful exploitation results in UXSS, enabling the attacker to execute arbitrary JavaScript in the context of arbitrary origins. This can lead to information disclosure, session hijacking, or other client-side attacks against the victim's browser session.
Mitigation
Apple addressed this issue in iOS 10.2 (released December 12, 2016) [1] and Safari 10.0.2 (released December 13, 2016) [2]. Users should update to these or later versions. No workaround is available for unpatched versions.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <10.0.2
- Range: <10.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.