Incomplete Blacklist of Frame Owning Elements
Airmail 3 for Mac
Airmail's primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are not forbidden by the policy. An attacker may abuse HTML Plug-In Elements within an email to trigger Frame navigation requests that bypass this filter.
08-06-2018 - Vendor disclosure via email 08-13-2018 - Vendor notified via Support Page 08-21-2018 - Vendor notified of the advisory release
Offensive Minded Security Exploit Development