CVE-2017-2510

Vulnerability

The vulnerability resides in WebKit's handling of pageshow events during restoration of cached frames. When a page is restored from the page cache, CachedFrameBase::restore calls enqueuePageshowEvent, which synchronously dispatches the pageshow event on the window. During this dispatch, JavaScript handlers can trigger navigation or other actions that cause the parent frame's document to be replaced, leading to a race condition. Specifically, the open method on child frames can re-enter CachedFrameBase::restore, causing the iteration over child frames to operate on a stale document. This allows a crafted website to bypass the same-origin policy. Affected versions include iOS prior to 10.3.2 and Safari prior to 10.1.1 [1][2].

Exploitation

An attacker can exploit this by crafting a malicious website that uses iframes and the pageshow event to trigger the race condition. The exploit relies on user interaction only to the extent that the victim visits the crafted page. The PoC in [3] demonstrates using two iframes with onpageshow handlers: one that navigates the top window and calls showModalDialog, and another that repeatedly checks for a cross-origin property. The race causes the sibling frame to be attached to a wrong document, enabling the page to access properties of a different origin.

Impact

Successful exploitation allows a remote attacker to perform Universal XSS (UXSS), executing arbitrary scripts in the context of any website loaded in the browser. This can lead to theft of sensitive data, session hijacking, or other malicious actions within the security context of the victim's browsing session.

Mitigation

Apple released fixes with iOS 10.3.2 and Safari 10.1.1 on May 15, 2017 [1][2]. For Gentoo Linux, WebKitGTK+ users should upgrade to version 2.16.3 or later [4]. No workarounds are available; updating to the patched version is the recommended action.