A new bug has been discovered in iOS 6 that has to do with the Smart App Banners feature. It seems that the banners, which websites can implement to give users a direct link to apps, will turn on the JavaScript setting in Safari without warning.

On the surface, this may not seem like a very big deal. After all, most folks dont mess with the JavaScript settings on their iOS devices because a lot of web sites require it. But the fact that these Smart Banners are turning it on, unbeknownst to users, is a bit troubling

The bug was first discovered back in October by hacker Andrew Plotkin, and was recently brought to light again by AppleInsider. The site spoke with Peter Eckersley of the digital rights group EFF, who described the issue as a serious privacy and security vulnerability.

"It is a security issue, it is a privacy issue, and it is a trust issue, Eckersley said. Can you trust the UI to do what you told it to do? Its certainly a bug that needs to be fixed urgently.

But Lysa Myers of Intego, a security firm, doesnt think its quite that serious: while this issue is certainly not an ideal situation, by itself it actually isnt that large a problem. She notes, though, that shell continue to monitor it to make sure it doesnt become more exploitable.



If you want to see the bug first hand, simply execute the following steps on your iOS device:

  • Close all the way out of Safari and open the Settings app.
  • In Settings, select the Safari tab, scroll all the way down to the Security section and disable JavaScript.
  • Re-open Safari and visit a website that has a Smart App Banner, like store.apple.com.
  • Finally, close down Safari and revisit the Safari Security section in the Settings app.


You should notice that the JavaScript feature has been automatically re-enabled. And itll actually stay that way until you disable it again. I was able to reproduce the bug on my iPhone 5 running iOS 6, but its been said that its present in all iOS 6 builds, including the 6.1 betas.

Again, at the moment, theres really nothing to worry about unless of course you keep JavaScript off, then its annoying. But the fact that these Smart Banners are overriding user settings without consent is still pretty sketchy.

Source Here.