CVE-2017-7089
Description
An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that is mishandled during parent-tab processing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted website can perform Universal XSS when WebKit mishandles parent-tab processing in iOS, Safari, and iCloud for Windows before patched versions.
Vulnerability
A Universal XSS (UXSS) vulnerability exists in the WebKit component of Apple products including iOS before 11, Safari before 11, and iCloud for Windows before 7.0. The issue occurs when parent-tab processing mishandles a crafted website, allowing cross-origin script execution [1][2][3].
Exploitation
An attacker can exploit this issue by tricking a user into visiting a malicious website. No additional privileges or network position beyond standard web access are required. The crafted website is mishandled during parent-tab processing, which triggers the UXSS behavior [1].
Impact
Successful exploitation allows the attacker to conduct Universal XSS attacks, which can bypass the same-origin policy and execute arbitrary scripts in the context of other open web pages or tabs. This can lead to data theft, session hijacking, or other unauthorized actions similar to cross-site scripting [1].
Mitigation
Apple has addressed this vulnerability with improved state management in iOS 11 (released September 19, 2017), Safari 11 (released September 19, 2017), and iCloud for Windows 7.0 (released September 25, 2017). Users should update to the latest versions of these products. No workarounds have been published by Apple [1][2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
17- osv-coords12 versionspkg:rpm/opensuse/gtk3&distro=openSUSE%20Tumbleweedpkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP2pkg:rpm/suse/webkit2gtk3&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3
< 2.32.4-1.1+ 11 more
- (no CPE)range: < 2.32.4-1.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
- (no CPE)range: < 2.18.5-2.18.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.securityfocus.com/bid/100893nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039384nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039385nvdThird Party AdvisoryVDB Entry
- support.apple.com/HT208112nvdVendor Advisory
- support.apple.com/HT208116nvdVendor Advisory
- support.apple.com/HT208142nvdVendor Advisory
News mentions
0No linked articles in our index yet.