CVE-2017-2510

MEDIUM

Safari < 10.1.1 - Universal Cross-Site Scripting via Pageshow Event Handling

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-2510. PoCs published by Google Security Research.

AI-analyzed exploit summary This PoC exploits a race condition in WebKit's CachedFrameBase::restore() to manipulate frame hierarchies and execute arbitrary JavaScript in a privileged context. It leverages synchronous event dispatching during frame restoration to achieve cross-origin script execution.

Description

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that improperly interacts with pageshow events.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · htmlwebappsmultiple

https://www.exploit-db.com/exploits/42067

View Code ZIP pw:eip

This PoC exploits a race condition in WebKit's CachedFrameBase::restore() to manipulate frame hierarchies and execute arbitrary JavaScript in a privileged context. It leverages synchronous event dispatching during frame restoration to achieve cross-origin script execution.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Complex

Reliability

Racy

Target: WebKit (Safari, Chrome < 56)

No auth needed

Prerequisites: User interaction (click) · Browser with vulnerable WebKit version

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1038487

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/98474

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT207804

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201706-15

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42067/

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT207798

Scores

CVSS v3 6.1

EPSS 0.0119

EPSS Percentile 79.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

apple/iphone_os < 10.3.1

apple/safari < 10.1

Published May 22, 2017

Tracked Since Feb 18, 2026