CVE-2009-3016

Name of the Vulnerable Software and Affected Versions: Apple Safari version 4.0.3

Description: The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via several vectors related to injecting or entering specific URIs in Refresh headers in HTTP responses. This includes injecting a Refresh header with a javascript: URI, entering a javascript: URI for the content of a Refresh header, injecting a Refresh header with JavaScript sequences in a data:text/html URI, or entering a data:text/html URI with JavaScript sequences for the content of a Refresh header.

Recommendations: For Apple Safari version 4.0.3, consider disabling the handling of javascript: and data: URIs in Refresh headers until a patch is available. Restrict access to potentially vulnerable web pages to minimize the risk of exploitation. Avoid using the javascript: and data: protocols in Refresh headers until the issue is resolved.