CVE-2017-7144

Vulnerability

A cookie-handling flaw exists in the WebKit component of Apple iOS prior to version 11 and Safari prior to version 11. The bug allows remote attackers to bypass the privacy protections of Safari's Private Browsing mode by exploiting improper cookie state management. Affected products include iOS versions before 11 and Safari versions before 11 on OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13 [1][2].

Exploitation

An attacker who can serve content to a victim — for example, through a malicious website or an ad network — can exploit the cookie mishandling to determine whether the victim is using Safari Private Browsing. The attack requires no authentication or user interaction beyond the victim visiting the attacker-controlled page. The exact sequence involves the attacker setting and reading cookies across navigation events, leveraging the inconsistent behavior to infer the browsing mode [1][2].

Impact

Successful exploitation allows the attacker to track users even when they believe they are browsing privately. The primary impact is a breach of privacy (confidentiality of browsing habits), potentially enabling behavioral profiling or fingerprinting. The attacker does not gain code execution, privilege escalation, or direct access to system files [1][2].

Mitigation

Apple addressed the issue in iOS 11 (released September 19, 2017) and Safari 11 (released September 19, 2017). Users should update to iOS 11 or later, or Safari 11 or later on supported macOS versions. No workaround is available for unpatched systems. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].