WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 does not properly restrict access to the location variable, which allows remote attackers to obtain sensitive information via a crafted web site.
lists.apple.com/archives/security-announce/2016/Sep/msg00007.html
lists.apple.com/archives/security-announce/2016/Sep/msg00008.html
lists.apple.com/archives/security-announce/2016/Sep/msg00012.html
mksben.l0.cm/2016/09/safari-uxss-showModalDialog.html
www.securityfocus.com/bid/93066
www.securitytracker.com/id/1036854
support.apple.com/HT207143
support.apple.com/HT207157
support.apple.com/HT207158