An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements webView:decidePolicyForNavigationAction:request:frame:decisionListener: such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are not forbidden by the policy. An attacker may abuse HTML plug-in elements within an email to trigger frame navigation requests that bypass this filter.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Airmail_3 | Bloop | 3.5.9 (including) | 3.5.9 (including) |