Software Update: Apple Safari 12.1.1

Apple has released a new version of its web browser Safari with 12.1.1 as the version number. In version 12.1, a dark mode and intelligent anti-tracking were added, among other things. In this update, it appears that some hard work has been done to fix some security vulnerabilities in WebKit. The list of changes in this release is as follows:

Safari 12.1.1Impact: Processing maliciously crafted web content may result in the disclosure of process memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team

Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team
CVE-2019-8571:01 working with Trend Micro’s Zero Day Initiative
CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech
CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative
CVE-2019-8586: an anonymous researcher
CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative
CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
CVE-2019-8597:01 working with Trend Micro Zero Day Initiative
CVE-2019-8601: Fluoroacetate working with Trend Micro’s Zero Day Initiative
CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
CVE-2019-8611: Samuel Groß or Google Project Zero
CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro’s Zero Day Initiative
CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab
CVE-2019-8622: Samuel Groß or Google Project Zero
CVE-2019-8623: Samuel Groß or Google Project Zero
CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab

We would like to acknowledge Michael Ball of Gradescope by Turnitin for their assistance

Safari 12.1 Release Notes

Safari 12.1 ships with iOS 12.2 and macOS 10.14.4. It’s also available for macOS 10.13.6 and 10.12.6. New features of Safari 12.1 include:

• Dark Mode for the Web. The ability to enable color scheme customizations for websites while in Dark Mode.
• Intelligent Tracking Prevention. New permission requirements for third-party cookies and new limits for long-term tracking.

General

• Updated the push notification prompt for Safari on macOS to require a user gesture.
• Updated the behavior of websites saved to the home screen on iOS to pause in the background instead of relaunching each time.

Password AutoFill

• Updated Password AutoFill to sign in automatically to websites after filling in the credentials.

Security and Privacy

• Added warnings displayed to the user when loading insecure pages in both Safari and in SFSafariViewController.
• Added Motion & Orientation settings on iOS to enable the DeviceMotionEvent and DeviceOrientationEvent events.
• Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable.
• Updated the link behavior for “target=_blank” to include rel=”noopener” implicitly.

Intelligent Tracking Prevention

• Removed support for partitioned cookies for domains with cross-site tracking capabilities. The Storage Access API now provides third-party access to cookies.
• Improved Intelligent Tracking Prevention to limit long-term tracking based on client-side first-party cookies and to verify partitioned cache entries.

Web API

• Added a supported-color-schemes meta tag to indicate a website supports light and dark color schemes.
• Added support for the Intersection Observer API, which detects the intersection of visible elements relative to other elements. Elements include the viewport of the top-level document.
• Added support for the Web Share API to invoke the native share dialog provided by the system.
• Added support for .
• Added support for the

Payment Request API

• Added support for granular errors.
• Added support in Wallet & Apple Pay preferences for using the default contact information for the shipping address, email, and phone. On iOS, set preferences in the Transaction Defaults category in Settings > Wallet & Apple Pay. On Mac, set preferences in System Preferences > Wallet & Apple Pay > Contacts and Shipping.
• Added support for the default addresses and contacts configured in the Contacts and Shipping in the Wallet system preferences on iOS and macOS.
• Added support for special fields for Japan including phoneticName, subLocality, and subAdministrativeArea.

CSS and Text

• Added support for the CSS media queries prefers-color-scheme: light and prefers-color-scheme: dark.
• Added support for CSS rules to customize text decorations like underlines and dashed underlines.
• Added support for new rgb() color functions from the CSS Color 4 specification.

Media

• Added support for H.264 simulcast and VP8 in WebRTC to improve support for multi-party video conferencing.
• Enabled cross-browser Encrypted Media Extensions (EME) by adding APIs without the webkit prefix.

Safari App Extension API

• Added getAllWindows(completionHandler:) and getAllTabs(completionHandler:) for iterating over all open windows and tabs.
• Added getContainingTab(completionHandler:) and getContainingWindow(completionHandler:) access to the containing tab and window objects.
• Added a close method to SFSafariWindow and SFSafariTab for closing windows and tabs.
• Added navigate(to:) for changing the URL of a tab.
• Added getScreenshotOfVisibleArea(completionHandler:) for taking a screenshot of the visible contents of a page.
• Added showPopover() and dismissPopover() for showing and dismissing extension popovers.
• Added getBaseURI(completionHandler:) for retrieving the base URI in the app extension process.
• Improved support for navigating backwards and forwards.

Web Inspector and Tools

• Added support for multiple selection of DOM tree nodes and of entries in the Cookies table.
• Improved styles editing with multiple selection support.
• Updated Timelines to include media events.