Safari in Apple iOS before 8.4.1 does not limit the rate of JavaScript alert messages, which allows remote attackers to cause a denial of service (apparent browser locking) via a crafted web site.