CVE-2017-2363 Apple CVE debrief

Who should care

Security teams managing Apple endpoints and browsers should care most, especially if they support older iOS, Safari, tvOS, or watchOS releases still in use. Web application and identity teams should also care because the issue is triggered by a crafted website and can expose data from browser sessions.

Technical summary

The NVD record classifies the weakness as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and gives the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The affected versions listed are iOS before 10.2.1, Safari before 10.0.3, tvOS before 10.1.1, and watchOS before 3.1.3; the record also includes WebKitGTK+ before 2.16.3. The issue is described as a Same Origin Policy bypass caused by a crafted website, which makes user interaction necessary but leaves confidentiality at risk.

Defensive priority

Medium

Recommended defensive actions

• Verify whether any managed Apple devices or Safari installations are at or below the affected versions listed in the NVD record.
• Prioritize patching or upgrading to the fixed versions identified by Apple and reflected in the CVE record.
• Treat access to untrusted websites as a higher-risk activity on unpatched systems until remediation is complete.
• Review browser- and WebKit-dependent applications for exposure on older Apple platforms and update them as part of endpoint maintenance.
• Use the vendor advisories linked in the record to confirm platform-specific remediation guidance.

Evidence notes

This debrief is based on the official CVE/NVD record for CVE-2017-2363, which states the issue was published on 2017-02-20 and later modified in NVD on 2026-05-13. The record identifies Apple as the vendor, WebKit as the affected component, and the impact as Same Origin Policy bypass leading to sensitive information disclosure. NVD also lists vendor advisories and third-party references for the issue; the record does not indicate KEV inclusion.

Official resources