CVE-2018-15669

Vulnerability

An incomplete blacklist in the WebView of Bloop Airmail 3 version 3.5.9 for macOS allows frame navigation requests from HTML plug-in elements (sub-classes of HTMLFrameOwnerElements) to bypass the security policy. The policy implementation in webView:decidePolicyForNavigationAction:request:frame:decisionListener: only blacklists HTMLIFrameElements, leaving other frame-owning elements unrestricted [1].

Exploitation

An attacker sends an email containing a specially crafted HTML plug-in element (e.g., ` or `) that triggers a frame navigation request. The user only needs to open the email in the vulnerable application; no additional interaction is required for the request to be processed [1].

Impact

Successful exploitation allows the attacker to bypass the intended security policy and initiate arbitrary frame navigation requests within the user's email client. This can lead to information disclosure or other unauthorized actions in the context of the Airmail WebView, depending on the nature of the navigation target [1].

Mitigation

As of the vendor's response in the advisory, no response or fix was provided [1]. Users should consider upgrading to a later version if available or switch to an alternative email client for macOS. No workaround is documented. CVE-2018-15669 is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.