CVE-2014-1346 Information

Description

WebKit as used in Apple Safari before 6.1.4 and 7.x before 7.0.4 does not properly interpret Unicode encoding which allows remote attackers to spoof a postMessage origin and bypass intended restrictions on sending a message to a connected frame or window via crafted characters in a URL.

Reference

http://archives.neohapsis.com/archives/bugtraq/2014-05/0128.html http://archives.neohapsis.com/archives/bugtraq/2014-06/0174.html http://support.apple.com/kb/HT6254 http://www.securityfocus.com/bid/67554