CVE-2017-7038
Description
A DOMParser XSS issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A DOM parser cross-site scripting (XSS) vulnerability in WebKit affects Apple iOS, Safari, and tvOS, allowing arbitrary code execution via malicious web content.
Vulnerability
A DOM parser cross-site scripting (XSS) issue exists in the WebKit component of certain Apple products. It affects iOS versions before 10.3.3, Safari versions before 10.1.2, and tvOS versions before 10.2.2 [1][2][3]. The vulnerability can be triggered when the browser parses maliciously crafted web content, leading to unexpected behavior.
Exploitation
An attacker must trick the user into visiting a malicious website or serving compromised web content that exploits the DOM parsing flaw. No further authentication or special network position is required beyond standard web browsing [1][2][3]. The exact attack vector involves the DOMParser API mishandling certain input, allowing script injection.
Impact
Successful exploitation may cause unexpected application termination or arbitrary code execution, potentially leading to full compromise of the affected device [1][2]. The impact ranges from denial of service to arbitrary code execution depending on the targeted product and version.
Mitigation
Apple released fixes with iOS 10.3.3, Safari 10.1.2, and tvOS 10.2.2 on July 19, 2017 [1][2][3]. Users should update to these or later versions. For WebKitGTK+ users on Linux, Gentoo's GLSA advises upgrading to at least version 2.16.6 [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- cpe:2.3:a:apple:webkit:-:*:*:*:*:*:*:*
- osv-coords11 versionspkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 2.18.5-2.18.1+ 10 more
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.securityfocus.com/bid/99888nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1038950nvdThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201710-14nvdThird Party Advisory
- support.apple.com/HT207921nvdVendor Advisory
- support.apple.com/HT207923nvdVendor Advisory
- support.apple.com/HT207924nvdVendor Advisory
News mentions
0No linked articles in our index yet.