WebKit contains a flaw in the 'HTMLFrameElementBase::insertedIntoDocument' and 'HTMLFrameElementBase::setRemainsAliveOnRemovalFromTree' functions in WebCore/html/HTMLFrameElementBase.cpp related to handling of a "magic frame". With a specially crafted web page, a context-dependent attacker can bypass the same-origin policy restrictions.

It has been reported that this issue has been fixed. Upgrade to version 1.8.0, or higher, to address this vulnerability.

Upgrade to Google Chrome version 17.0.963.83, Apple iOS 5.1.1, and Apple Safari 5.1.7, or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1026841
• CVE ID: 2011-3056 (see also: NVD)
• Secunia Advisory ID: 47292 48512 48527 48729
• Related OSVDB ID: 80232 80288 80289 80290 80291 80292 80293 80295 81794
• Vendor Specific News/Changelog Entry: http://googlechromereleases.blogspot.com/2012/03/stable-channel-update_21.html
  http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00000.html
  http://www.gentoo.org/security/en/glsa/glsa-201203-19.xml
  https://bugs.webkit.org/show_bug.cgi?id=80766 [ Auth Req'd ]
  https://chromiumcodereview.appspot.com/9768010
• Mail List Post: http://lists.apple.com/archives/security-announce/2012/May/msg00000.html
  http://lists.apple.com/archives/security-announce/2012/May/msg00002.html
• Vendor Specific Solution URL: http://trac.webkit.org/changeset/111108
• Vendor Specific Advisory URL: https://code.google.com/p/chromium/issues/detail?id=117550

• Sergey Glazunov