CCE-50164-3Platform: cpe:/o:apple:mac_os_13 | Date: (C)2024-04-17 (M)2024-04-17 |
Bowser pop-up windows have long been one of the most annoying delivery mechanisms of unwanted web content. The content can be as unwanted content, including Not Safe For Work, or malicious content relying on a user interacting with the pop-up. Safari has a built-in capability to disable pop-ups that should be enabled.
Rationale:Pop-up windows are almost always unwanted content and should be blocked.
Impact:Obsolete web content delivery systems may still rely on pop-ups on internal web portals. Specific domains can be set to be allowed if absolutely necessary. Web Developers should update content to reduce risk in the environment so that no pop-ups are allowed.
Remediation:
Profile Method:
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.Safari
2. The key to include is safariAllowPopups
3. The key must be set to: <false/>
Parameter:
[Yes/No]
Technical Mechanism:
Remediation:
Profile Method:
Create or edit a configuration profile with the following information:
1. The PayloadType string is com.apple.Safari
2. The key to include is safariAllowPopups
3. The key must be set to: false/
CCSS Severity: | CCSS Metrics: |
CCSS Score : 8.8 | Attack Vector: NETWORK |
Exploit Score: 2.8 | Attack Complexity: LOW |
Impact Score: 5.9 | Privileges Required: NONE |
Severity: HIGH | User Interaction: REQUIRED |
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:99056 |