Airmail 3 for Mac

EventHandler Race Condition

Vendor

Bloop S.R.L.

Product

Airmail 3 for Mac

Product Version

3.5.9

Vulnerability Details

Airmail’s primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that “OpenURL” is the default URL handler. A navigation request is processed by the default URL handler only if the “currentEvent” is “NX_LMOUSEUP” or “NX_OMOUSEUP”. An attacker may abuse HTML Elements with an EventHandler for a chance to validate navigation requests for URLs that are processed during the “NX_LMOUSEUP” event triggered by clicking an email.

Vendor Response

No response.

Disclosure Timeline

  • Vendor disclosure via email

  • Vendor notified via Support Page

  • Vendor notified of the advisory release