CVE-2021-1879

What is WebKit Universal XSS?

WebKit is Apple's browser rendering engine used in Safari, all iOS/iPadOS browsers (Apple mandates WebKit for all browser apps on iOS), and watchOS's web-capable applications. A Universal Cross-Site Scripting (UXSS) vulnerability in WebKit is fundamentally different from a standard XSS attack: rather than injecting scripts into a specific website, UXSS exploits a bug in the browser engine itself to execute JavaScript in the context of any arbitrary origin — bypassing the Same-Origin Policy (SOP) that is the cornerstone of browser security. UXSS allows an attacker to steal cookies, read DOM content, and perform actions as the victim user on any website the browser has open or has stored session state for, including banking, email, and corporate portals.

Overview

CVE-2021-1879 is a WebKit universal cross-site scripting (UXSS) zero-day that Apple confirmed was "may have been actively exploited" before the March 26, 2021 patch in iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3. Processing maliciously crafted web content triggers the UXSS, enabling JavaScript execution across security origins in Safari and all iOS browsers (which must use WebKit). The Scope: Changed (S:C) in the CVSS vector reflects that the injected script escapes the page's security context into other origins. This was an out-of-band emergency update (not on Apple's regular release schedule), confirming active in-the-wild exploitation. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Universal cross-site scripting (CWE-79) in WebKit — the specific mechanism is not fully publicly documented; UXSS vulnerabilities typically involve incorrect origin tracking during navigation events, frame/document lifecycle operations, or URI scheme handling that allows a script from one origin to be evaluated in the context of another origin; WebKit's handling of maliciously crafted web content processes the payload in a way that grants the injected JavaScript a different origin's security context
• Same-Origin Policy bypass: The UXSS allows JavaScript injected via the malicious page to read cookies, localStorage, IndexedDB, and make authenticated requests to any website for which the device has an active session — effectively providing a browser-level credential harvester
• iOS-wide impact: Because Apple mandates WebKit for all browser apps on iOS and iPadOS, CVE-2021-1879 affects every browser on iOS (Safari, Chrome for iOS, Firefox for iOS, etc.) — not just Safari; this maximizes the attack surface compared to other platform's browser vulnerabilities
• Surveillance chain context: WebKit UXSS vulnerabilities are highly valued in commercial surveillance frameworks (such as NSO Group's tools) because they enable session cookie theft from any authenticated website on the device without requiring additional kernel exploitation — the attacker can exfiltrate the victim's email, cloud storage, social media, and banking sessions from the browser's stored cookies
• Out-of-band patch urgency: Apple's emergency release (not part of a regular update cycle) signals exploitation of high-value targets requiring immediate response; the simultaneous iOS, iPadOS, and watchOS patches confirm multi-platform exploitation of the same WebKit vulnerability

Discovery

Apple credited Clement Lecigne of Google's Threat Analysis Group (TAG) and Billy Leonard of TAG with discovery. Google TAG tracks state-sponsored exploitation of zero-day vulnerabilities — their attribution indicates CVE-2021-1879 was observed in targeted attacks against high-value individuals, consistent with commercial surveillance vendor exploitation chains.

Exploitation Context

Apple WebKit UXSS zero-days are among the most valuable iOS vulnerabilities for surveillance operations — they provide access to all authenticated browser sessions without requiring kernel-level exploitation, making them efficient and relatively stealthy. Google TAG's discovery and the "actively exploited" confirmation indicates government-sponsored or commercial surveillance tool (mercenary spyware) use against journalists, activists, government officials, or dissidents. The simultaneous watchOS patch suggests exploitation may have extended to Apple Watch devices, potentially for tracking purposes. CISA's KEV addition in November 2021 reflects continued exploitation of unpatched devices after the March 2021 patch release.

Remediation

1. Update to iOS 14.4.2 / iPadOS 14.4.2 or later — the UXSS is patched; users on iOS 12 (older unsupported devices) should update to iOS 12.5.2
2. Update watchOS to 7.3.3 or later
3. Enable automatic iOS/iPadOS updates: Settings → General → Software Update → Automatic Updates
4. For high-risk individuals (journalists, activists, government officials): consider using Lockdown Mode (iOS 16+) which further restricts WebKit functionality to reduce browser-based attack surface
5. Regularly clear browser cookies and site data for sensitive accounts; use dedicated browsers for high-sensitivity sessions where practical
6. Monitor Apple's security update page for future emergency patches — out-of-band updates signal active exploitation and require immediate application