CVE-2018-15669

Name of the Vulnerable Software and Affected Versions Bloop Airmail 3 version 3.5.9

Description An issue was discovered where the primary WebView instance in Bloop Airmail 3 for macOS does not properly restrict frame navigation requests from all sub-classes of HTMLFrameOwnerElements. Specifically, while requests from HTMLIFrameElements are blacklisted, other sub-classes are not forbidden by the policy. This could allow an attacker to abuse HTML plug-in elements within an email to trigger frame navigation requests that bypass the filter.

Recommendations For Bloop Airmail 3 version 3.5.9, consider restricting access to HTML plug-in elements within emails as a temporary workaround until a patch is available.