CVE-2017-17859

Name of the Vulnerable Software and Affected Versions Samsung Internet Browser version 6.2.01.12

Description The issue allows remote attackers to bypass the Same Origin Policy and conduct UXSS attacks to obtain sensitive information. This is achieved via vectors involving an IFRAME element inside XSLT data in one part of an MHTML file. Specifically, JavaScript code in another part of this MHTML file does not have a document.domain value corresponding to the domain that is hosting the MHTML file, but instead has a document.domain value corresponding to an arbitrary URL within the content of the MHTML file.

Recommendations For Samsung Internet Browser version 6.2.01.12, as a temporary workaround, consider disabling the use of IFRAME elements inside XSLT data in MHTML files until a patch is available. Restrict access to MHTML files to minimize the risk of exploitation. Avoid using JavaScript code with arbitrary document.domain values in MHTML files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.