Airmail 3 for Mac

Incomplete Blacklist of Frame Owning Elements

Vendor

Bloop S.R.L.

Product

Airmail 3 for Mac

Product Version

3.5.9

Vulnerability Details

Airmail’s primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are not forbidden by the policy. An attacker may abuse HTML Plug-In Elements within an email to trigger Frame navigation requests that bypass this filter.

Vendor Response

No response.

Disclosure Timeline

  • Vendor disclosure via email

  • Vendor notified via Support Page

  • Vendor notified of the advisory release