CVE-2018-15669
In Bloop Airmail 3.5.9 for macOS, the primary WebView policy function webView:decidePolicyForNavigationAction:request:frame:decisionListener: blacklists only requests from HTMLIFrameElements. Other HTMLFrameOwnerElements subclasses are not restricted, allowing an attacker to abuse HTML plug-in el...