Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
The error classified as CWE-358 (Improperly Implemented Security Check for Standard) consists of improper implementation of the sandbox isolation mechanism for the iframe element in the context of the dual-tab environment of the Whale browser. An attacker can prepare appropriate conditions in an environment with two tabs, which cause the restrictions imposed by the iframe sandbox to not be properly enforced. As a result, code executed inside the isolated frame can escape its boundaries.
Successful exploitation of the vulnerability allows an attacker to bypass iframe sandbox isolation mechanisms, which may result in unauthorized access to browser resources, data from other tabs, or execution of unintended code outside the sandbox environment.
The Whale Browser should be updated as soon as possible to version 4.33.325.17 or newer, in which the vulnerability has been fixed. Detailed information is available in the vendor's references at https://cve.naver.com/detail/cve-2025-62583.html
Navercorp Whale Browser in versions prior to 4.33.325.17
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNavercorp Whale
APPNavercorp< 4.33.325.17
Related vulnerabilities
Whale Browser — ucieczka z iframe sandbox w środowisku sidebar
XSS w Whale Browser dla iOS — wykonanie złośliwych skryptów przez schemat javascript
Whale Bridge, a default extension in Whale browser before 3.12.129.18, allowed to receive any SendMessage requ...
Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment.
Whale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific schem...