The exploit is caused by a violation of the same-origin policy in WebKit's implementation of the IndexedDB API, and also affects all browsers on iOS/iPadOS 15.
The Keen Team demonstrates two mobile Safari vulnerabilities, which grant access to Facebook credentials and photos stored on an iPhone 5 running iOS 7.0.3 or iOS 6.1.4.