I'll quote Michal Zalewski, who discovered the vulnerability (http://seclists.org/fulldisclosure/2007/Jun/0026.html): When Javascript code instructs [the browser] to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page, for example: - Read or set victim.document.cookie, - Arbitrarily alter document DOM, including changing form submission URLs, injecting code, - Read or write DOM structures that were not fully initialized, prompting memory corruption and browser crash. Proof of concept located at http://lcamtuf.coredump.cx/ierace/ Confirmed vulnerable on fully-patched Tiger installation with nightly WebKit build r22026.
<rdar://problem/5255829>
I have been able to reproduce this on WebKit ToT, but not in shipping WebKit.
(In reply to comment #2) > I have been able to reproduce this on WebKit ToT, but not in shipping WebKit. Therefore this is a regression.
Fix landed r23599