[wpe-webkit] WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001
Carlos Alberto Lopez Perez
clopez at igalia.com
Mon Jan 31 10:49:31 PST 2022
On 21/01/2022 16:53, Carlos Alberto Lopez Perez wrote:
> CVE-2022-XXXXX
> Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
> Credit to Martin Bajanik from fingerprintjs.com.
> Impact: A malicious website may exfiltrate data cross-origin.
> Description: A cross-origin issue existed with the IndexedDB. This
> was addressed with improved checking of security origins.
> Notes: There is a public PoC demonstrating this issue at
> https://safarileaks.com so this issue may have been actively
> exploited. We still don't know the CVE number that will be assigned
> to this issue. We will update this advisory once we know it.
The data for the above unknown CVE number is now updated with the info below:
CVE-2022-22594
Versions affected: WebKitGTK and WPE WebKit before 2.34.4.
Credit to Martin Bajanik of fingerprintjs.com.
Impact: A website may be able to track sensitive user information.
Description: A cross-origin issue in the IndexDB API was addressed
with improved input validation. Notes: There is a public PoC
demonstrating this issue at safarileaks.com so it may have been
actively exploited.
More information about the webkit-wpe
mailing list