CVE-2024-44187: 
Apple Safari vulnerability analysis and mitigation

A cross-origin issue was discovered in WebKit's handling of iframe elements that affects multiple Apple operating systems and Safari browser. The vulnerability (CVE-2024-44187) was disclosed on September 16, 2024, and affects Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18, iPadOS 18, and tvOS 18. The vulnerability allows malicious websites to exfiltrate data cross-origin (Apple Support, NVD).

The vulnerability is related to improper tracking of security origins in iframe elements within WebKit. It has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-346 (Origin Validation Error) (NVD).

When exploited, this vulnerability allows malicious websites to perform cross-origin data exfiltration, potentially compromising user privacy and data security across different web origins (Apple Support).

Apple has addressed this vulnerability by improving the tracking of security origins in WebKit. The fix is included in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18, iPadOS 18, and tvOS 18. Users are advised to update their devices to these versions to mitigate the risk (Apple Support).