Navercorp Whale
19 CVEs affecting Navercorp Whale. Latest disclosed: 2025-12-30. Critical: 4, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-62583 | Critical | 9.8 | 2025-10-16 | Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment. |
CVE-2025-53599 | Critical | 9.8 | 2025-07-04 | Whale browser for iOS before 3.9.1.4206 allow an attacker to execute malicious scripts in the browser via a crafted javascript scheme. |
CVE-2022-24074 | Critical | 9.8 | 2022-03-17 | Whale Bridge, a default extension in Whale browser before 3.12.129.18, allowed to receive any SendMessage request from the content script itself that could lea… |
CVE-2025-69234 | Critical | 9.1 | 2025-12-30 | Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment. |
CVE-2018-9859 | High | 8.1 | 2018-06-16 | The path of Whale update service was unquoted in NAVER Whale before 1.0.40.7. This vulnerability can be used for persistent privilege escalation if it's availa… |
CVE-2018-12449 | High | 7.8 | 2018-10-11 | The Whale browser installer 0.4.3.0 and earlier versions allows DLL hijacking. |
CVE-2017-15913 | High | 7.8 | 2018-01-08 | The Installer in Whale allows DLL hijacking. |
CVE-2025-69235 | High | 7.5 | 2025-12-30 | Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment. |
CVE-2025-62585 | High | 7.5 | 2025-10-16 | Whale browser before 4.33.325.17 allows an attacker to bypass the Content Security Policy via a specific scheme in a dual-tab environment. |
CVE-2025-62584 | High | 7.5 | 2025-10-16 | Whale browser before 4.33.325.17 allows an attacker to bypass the Same-Origin Policy in a dual-tab environment. |
CVE-2025-53600 | High | 7.5 | 2025-07-04 | Whale browser before 4.32.315.22 allow an attacker to bypass the Same-Origin Policy in a dual-tab environment. |
CVE-2022-24073 | High | 7.1 | 2022-03-17 | The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store. |
CVE-2022-24075 | Medium | 6.5 | 2022-03-17 | Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP f… |
CVE-2022-24072 | Medium | 6.1 | 2022-03-17 | The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools… |
CVE-2020-9754 | Medium | 5.3 | 2022-06-27 | NAVER Whale browser mobile app before 1.10.6.2 allows the attacker to bypass its browser unlock function via incognito mode. |
CVE-2021-33593 | Medium | 5.3 | 2021-11-02 | Whale browser for iOS before 1.14.0 has an inconsistent user interface issue that allows an attacker to obfuscate the address bar which may lead to address bar… |
CVE-2018-12448 | Medium | 5.3 | 2018-08-02 | Whale Browser before 1.3.48.4 displays no URL information but only a title of a web page on the browser's address bar when visiting a non-http page, which allo… |
CVE-2018-7635 | Medium | 5.3 | 2018-07-03 | Whale Browser before 1.0.41.8 displays no URL information but only a title of a web page on the browser's address bar when visiting a blank page, which allows… |
CVE-2022-24071 | Medium | 4.3 | 2022-01-28 | A Built-in extension in Whale browser before 3.12.129.46 allows attackers to compromise the rendering process which could lead to controlling browser internal… |