WebKit does not properly restrict focus changes, which allows remote attackers to read keystrokes via "cross-domain IFRAME gadgets," a different vulnerability than CVE-2010-1126, CVE-2010-1422, and CVE-2010-2295.

The JavaScript implementation in WebKit allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method.