WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 does not properly restrict access to the location variable, which allows remote attackers to obtain sensitive information via a crafted web site.
Apple Security Advisory 2016-09-20-2 - Safari 10 is now available and addresses cross site scripting, code execution, and various other vulnerabilities.