CVE-2021-30744: 
Apple Safari vulnerability analysis and mitigation

CVE-2021-30744 is a cross-origin vulnerability affecting iframe elements in Apple's WebKit browser engine. The vulnerability was discovered and reported by Dan Hite of jsontop and was fixed in multiple Apple products including tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, and watchOS 7.5, released on May 24, 2021. The affected systems include iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, iPod touch (7th generation), Apple TV 4K, Apple TV HD, and Apple Watch Series 3 and later (Apple Support, Apple Support).

The vulnerability is classified as a cross-origin issue with iframe elements that could lead to universal cross-site scripting (XSS). The issue was addressed by improving the tracking of security origins in the WebKit engine. The vulnerability has a CVSS v3.1 Base Score of 6.1 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network exploitable, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

When successfully exploited, the vulnerability could allow processing of maliciously crafted web content leading to universal cross-site scripting. This could potentially allow attackers to execute arbitrary scripts in the context of any website, potentially leading to theft of sensitive information, session hijacking, or other web-based attacks (Apple Support).

Apple addressed this vulnerability by releasing security updates across multiple platforms. Users should update to tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, or watchOS 7.5 depending on their device. These updates include improved tracking of security origins in the WebKit engine to prevent cross-origin issues (Apple Support, Apple Support).