A critical vulnerability in Apple’s Safari browser has been discovered that allows attackers to execute arbitrary JavaScript code by exploiting how the browser handles TypeError exceptions.
The vulnerability combines Safari’s error handling mechanisms with cross-site scripting (XSS) techniques, creating a streamlined attack vector that requires minimal code to execute.
This exploit is particularly concerning as it can be concealed within window.name parameters and triggered through exception handling.
The security researcher who identified the flaw was experimenting with HackPad on Hackvertor when they recalled a previous Safari TypeError vulnerability.
This led to an investigation into how TypeError messages in Safari could be weaponized. The fundamental issue stems from Safari’s improper handling of quote characters in error messages.
“Safari converts single quotes to double quotes but fails to escape internal quotes within the error message text,” explains the researcher.
“This creates a situation where malicious code inside the error message itself can be executed.”
The standard TypeError exploit works by creating an invalid constructor call with specially crafted strings:
javascriptnew 'foo"-alert(1)//'
//TypeError: "foo"-alert(1)//" is not a constructor
When Safari generates the error message, it inadvertently creates executable JavaScript code.
The browser treats “TypeError:” as a label statement, while the unescaped quotes and payload within the message become functional code when passed to an evaluator.
Combining Error Handling with Payload Execution
What makes this discovery particularly innovative is the researcher’s technique of combining the TypeError exploit with JavaScript’s error handling mechanisms.
Rather than using conventional methods that require explicit throw statements, this approach leverages the automatic error generation process.
By assigning the eval function to the onerror handler, any generated error messages are automatically passed to eval, which then executes the code embedded within the error message:
javascriptonerror=eval;
new 'foo"-alert(1)//'
This technique eliminates the need for traditional throw statements while still achieving code execution through exception handling.
Payload Concealment and Exploitation in the Wild
The most concerning aspect of this vulnerability is how the payload can be concealed within the window.name property.
Despite Safari’s security measures that normally clear window.name during navigation, attackers can circumvent this protection using HTML target attributes or window.open methods.
The entire attack can be condensed to a remarkably compact form:
javascriptonerror=eval,new name
This concise vector allows attackers to execute arbitrary code from within the window.name parameter, potentially leading to session hijacking, data theft, or other malicious activities.
Security experts recommend that Safari users ensure their browsers are updated to the latest version as Apple works to patch this vulnerability.
Web developers should implement Content Security Policy (CSP) headers and other defensive measures to mitigate the risk of XSS attacks leveraging this technique.
Until a formal patch is released, security researchers advise caution when visiting untrusted websites, particularly those that might attempt to manipulate window properties or trigger JavaScript errors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
