This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. A website may be able to bypass Same Origin Policy.
The problem results from improper state management in the Safari browser engine. Through this vulnerability, a malicious website can bypass the Same Origin Policy mechanism, which normally prevents websites from accessing resources and data belonging to other domains. Apple fixed the bug by improving state management.
An attacker can gain unauthorized access to data from other domains visited by the victim, which may lead to session hijacking, cookie theft, sensitive information disclosure, or manipulation of content in the context of other websites.
Update to the following versions: Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, or visionOS 2.4. Patches are available through standard Apple updates — details available at the manufacturer's reference addresses.
Safari before version 18.4, iOS and iPadOS before version 18.4, macOS Sequoia before version 15.4, visionOS before version 2.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple iPadOS
OSApple< 18.4Apple iOS
OSApple< 18.4Apple macOS
OSApple< 15.4Apple Safari
APPApple< 18.4Apple Visionos
OSApple< 2.4
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki