CVE-2017-2350 Apple CVE debrief

Who should care

Organizations and individuals running affected Apple devices or browsers, especially where users regularly browse untrusted websites. Security teams should prioritize managed fleets of iPhone/iPad, Safari on Apple systems, and tvOS deployments, as well as environments that track WebKit-based components.

Technical summary

The issue is a Same Origin Policy bypass in WebKit. In practical terms, a maliciously crafted website could cause the browser engine to expose information that should have remained isolated to a different origin. The NVD CVSS vector reflects network delivery, low attack complexity, no privileges required, and user interaction, with confidentiality impact only (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

Defensive priority

Medium. The vulnerability does not indicate integrity or availability impact, but it can expose sensitive web-origin data and affects widely deployed client software. Remediation should be applied promptly on any systems still running affected versions.

Recommended defensive actions

• Update affected Apple devices to iOS 10.2.1 or later.
• Update Safari to 10.0.3 or later on affected systems.
• Update tvOS to 10.1.1 or later on affected systems.
• If your environment tracks WebKitGTK+, verify whether the mapped WebKitGTK+ range in NVD applies and update to a fixed release before 2.16.3.
• Use the linked Apple vendor advisories and NVD record to confirm exact remediation guidance for each platform.
• Treat untrusted websites as a credible trigger path until affected versions are fully remediated.

Evidence notes

Derived from the supplied CVE description, NVD metadata, and Apple-linked vendor references. The CVE was published on 2017-02-20 and later modified in NVD on 2026-05-13; the later modified date should not be treated as the disclosure date. NVD lists affected CPEs for iPhone OS, Safari, tvOS, and WebKitGTK+ with the version ceilings provided in the source corpus.

Official resources