CVE-2017-17859
MEDIUMSamsung Internet Browser 6.2.01.12 - Universal Cross-Site Scripting via MHTML IFRAME in XSLT
Title source: llmDescription
Samsung Internet Browser 6.2.01.12 allows remote attackers to bypass the Same Origin Policy, and conduct UXSS attacks to obtain sensitive information, via vectors involving an IFRAME element inside XSLT data in one part of an MHTML file. Specifically, JavaScript code in another part of this MHTML file does not have a document.domain value corresponding to the domain that is hosting the MHTML file, but instead has a document.domain value corresponding to an arbitrary URL within the content of the MHTML file.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://poctestblog.blogspot.com/2017/12/samsung-internet-browser-sop-bypassuxss.html
Scores
CVSS v3
6.1
EPSS
0.0077
EPSS Percentile
73.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
samsung/internet_browser
6.2.01.12
Published
Dec 27, 2017
Tracked Since
Feb 18, 2026