CVE-2017-2508

MEDIUM

Safari < 10.1.1 - Universal Cross-Site Scripting in WebKit via Container Node Interaction

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-2508. PoCs published by Google Security Research.

AI-analyzed exploit summary The exploit describes a DOM manipulation vulnerability in WebKit's ContainerNode::parserInsertBefore function, where script execution during parserRemoveChild can lead to inconsistent tree states, bypassing frame restrictions. The PoC is referenced but not included in the provided code snippet.

Description

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that improperly interacts with container nodes.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Google Security Research · textwebappsmultiple
https://www.exploit-db.com/exploits/42066

The exploit describes a DOM manipulation vulnerability in WebKit's ContainerNode::parserInsertBefore function, where script execution during parserRemoveChild can lead to inconsistent tree states, bypassing frame restrictions. The PoC is referenced but not included in the provided code snippet.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: WebKit (Chromium-based browsers)
No auth needed
Prerequisites: Access to a vulnerable WebKit-based browser
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038487
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/98474
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207804
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42066/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201706-15
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT207798

Scores

CVSS v3 6.1
EPSS 0.0301
EPSS Percentile 85.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
apple/iphone_os < 10.3.1
apple/safari < 10.1
Published May 22, 2017
Tracked Since Feb 18, 2026