CVE-2017-7089

MEDIUM

Safari < 10.1.2 - Universal Cross-Site Scripting via Parent-Tab Processing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-7089. PoCs published by Anton Lopanitsyn, Bo0oM, aymankhalfatni.

AI-analyzed exploit summary This exploit leverages a logic issue in Safari 10's handling of the parent-tab URI scheme to bypass the Same-Origin Policy (SOP) and execute arbitrary JavaScript in the context of another domain, leading to universal cross-site scripting (UXSS). The PoC demonstrates injecting malicious content into a new tab opened via the parent-tab:// scheme.

Description

An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site that is mishandled during parent-tab processing.

Exploits (3)

exploitdb WORKING POC
by Anton Lopanitsyn · htmllocalmultiple
https://www.exploit-db.com/exploits/45866

This exploit leverages a logic issue in Safari 10's handling of the parent-tab URI scheme to bypass the Same-Origin Policy (SOP) and execute arbitrary JavaScript in the context of another domain, leading to universal cross-site scripting (UXSS). The PoC demonstrates injecting malicious content into a new tab opened via the parent-tab:// scheme.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Safari 10
No auth needed
Prerequisites: Victim must be using Safari 10 · Victim must interact with the malicious page (click or onload event)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 63 stars
by Bo0oM · poc
https://github.com/Bo0oM/CVE-2017-7089

This repository contains a proof-of-concept for CVE-2017-7089, a universal cross-site scripting (XSS) vulnerability in Safari 10. The exploit leverages a logic issue in the handling of the parent-tab to bypass the Same-Origin Policy (SOP) and execute arbitrary JavaScript in the context of another domain.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Safari 10
No auth needed
Prerequisites: Victim must visit a malicious webpage or click a malicious link
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 1 stars
by aymankhalfatni · poc
https://github.com/aymankhalfatni/Safari_Mac

The repository contains only a README.md file with minimal information about CVE-2017-7089, lacking any exploit code or technical details.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Safari (version unspecified)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039384
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208142
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039385
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208112
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100893
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT208116

Scores

CVSS v3 6.1
EPSS 0.0189
EPSS Percentile 83.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (5)
apple/icloud < 6.9.1
apple/iphone_os < 10.3.3
apple/itunes < 12.6.2
apple/safari < 10.1.2
apple/tvos < 10.2.2
Published Oct 23, 2017
Tracked Since Feb 18, 2026