Apple's iOS 6.1 squashes 'Smart App Banner' bug that re-enabled JavaScript without user consent
With the release of iOS 6.1 on Monday, Apple addressed a potentially serious bug introduced in iOS 6 that would override a user's Mobile Safari JavaScript settings after visiting a webpage with a so-called "Smart App Banner."
Apple's iOS 6.1 fixes a JavaScript bug that would turn on JavaScript in Mobile Safari without a user's consent.
According to Apple's Support Webpage regarding iOS 6.1 security enhancements, and confirmed by AppleInsider, a bug that would inadvertently re-enable JavaScript in Mobile Safari without user interaction has been fixed in a tweak to the iOS StoreKit.
The issue first appeared when the Smart App Banner feature was instituted in iOS 6. Smart App Banners allowed developers an easy way to promote their iOS app within Safari by automatically scanning and detecting whether a specific app is on a user's device. If present, the banner invites the user to exit Safari and open the standalone app. If the system does not detect the app, the smart banner will offer a link to download the software from the App Store.
As seen in the example above, Pinterest's iOS app is not installed, thus a banner directing the user to install the app is displayed at the top of the service's web portal.
From the release notes:
Apple released the latest version of iOS 6 earlier on Monday, bringing enhancements to iTunes Match, the ability to purchase movie tickets with Siri, support for more LTE carriers and a host of minor bug fixes and backend improvements.
Apple's iOS 6.1 fixes a JavaScript bug that would turn on JavaScript in Mobile Safari without a user's consent.
According to Apple's Support Webpage regarding iOS 6.1 security enhancements, and confirmed by AppleInsider, a bug that would inadvertently re-enable JavaScript in Mobile Safari without user interaction has been fixed in a tweak to the iOS StoreKit.
The issue first appeared when the Smart App Banner feature was instituted in iOS 6. Smart App Banners allowed developers an easy way to promote their iOS app within Safari by automatically scanning and detecting whether a specific app is on a user's device. If present, the banner invites the user to exit Safari and open the standalone app. If the system does not detect the app, the smart banner will offer a link to download the software from the App Store.
As seen in the example above, Pinterest's iOS app is not installed, thus a banner directing the user to install the app is displayed at the top of the service's web portal.
From the release notes:
Other security problems addressed with iOS 6.1 include a number of WebKit bugs including a memory corruption issue that could lead to the execution of arbitrary code or cause an app to unexpectedly quit after visiting a maliciously crafted website.Description: If a user disabled JavaScript in Safari Preferences, visiting a site which displayed a Smart App Banner would re-enable JavaScript without warning the user. This issue was addressed by not enabling JavaScript when visiting a site with a Smart App Banner.
Apple released the latest version of iOS 6 earlier on Monday, bringing enhancements to iTunes Match, the ability to purchase movie tickets with Siri, support for more LTE carriers and a host of minor bug fixes and backend improvements.
Comments
Thanks for the update!
dZ.
The JS setting was on when I checked it, so I turned it off. ESPN's site (for example) says that it requires JavaScript for "optimal viewing experience." I'm not a seasoned pro like many of you are, but it seems like a privacy issue to me. If it is scanning your phone to determine if you have the app on your phone then no telling what other info they are pulling w/out your knowledge.
HOLY CRAP !!!!
This finally fixes the sort order of events and albums, in the Photo App.
This was an issue for me since "forever" !!!
The black cross is to dismiss Google not go to the application. Every other app I can dismiss but no YouTube...
Quote:
Originally Posted by Wide with Pride
These are the kind of AI articles I like. Useful info.
The JS setting was on when I checked it, so I turned it off. ESPN's site (for example) says that it requires JavaScript for "optimal viewing experience." I'm not a seasoned pro like many of you are, but it seems like a privacy issue to me. If it is scanning your phone to determine if you have the app on your phone then no telling what other info they are pulling w/out your knowledge.
The API scans your phone, not the site itself. The site has no idea what is on your phone as it is opaque to the site. Your device checks for the app, and shows you a result based on it being there or not. So it is not a privacy thing as the site never knows.