Matthew Bryant

**Name of the Vulnerable Software and Affected Versions** OS X versions prior to 10.11.4 **Description** The issue is related to the Content Security Policy (CSP) implementation in the Messages component of Apple OS X. It allows remote attackers to obtain sensitive information via a javascript: URL. The vulnerability is associated with a lack of protection for sensitive data, which can be exploited by a remote attacker to gain confidential information by navigating to a JavaScript link. **Recommendations** For OS X versions prior to 10.11.4, update to version 10.11.4 or later to resolve the issue. As a temporary workaround, consider restricting access to javascript: URLs in the Messages component to minimize the risk of exploitation.