CVE-2025-53599
Whale · Whale browser for iOS
The Whale browser for iOS contains a vulnerability allowing remote code execution via a crafted javascript scheme.
Executive summary
A critical vulnerability in Whale browser for iOS permits unauthenticated attackers to execute malicious scripts, posing a significant risk to user data and device integrity.
Vulnerability
This vulnerability involves improper handling of the javascript URI scheme, which can be leveraged by an unauthenticated attacker to execute arbitrary scripts within the browser context.
Business impact
The ability to execute unauthorized scripts in a mobile browser context can lead to credential theft, session hijacking, and the exposure of sensitive user data. Given the CVSS score of 9.8, this vulnerability represents a critical threat to organizational security if the browser is used to access corporate web applications.
Remediation
Immediate Action: Update the Whale browser for iOS to version 3.9.1.4206 or later immediately to resolve the script execution flaw.
Proactive Monitoring: Monitor mobile device traffic for anomalous javascript scheme requests or unexpected browser behavior.
Compensating Controls: Ensure that mobile device management (MDM) policies restrict the execution of untrusted external links until the update is applied.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This is a critical security update. Organizations must enforce the update to version 3.9.1.4206 across all managed iOS devices to prevent potential exploitation of this high-risk script injection vector.