Then they pulled them, referencing "breaking changes" to Safari, as rumors say, because of the User agent string.
So if the problem really was the version number string, that should be easy to fix by increasing the version number instead of appending "a" to it.
However, this might not be the full story...?
Currently there seems to be no simple way to obtain the updates. But when announced, they were ostensibly fixing serious zero-click RCE vulnerabilites.
I couldn't find any official communication regarding this, so..?
[1] https://support.apple.com/en-us/HT201224
Back in 2021 there was the "history leaking" bug where you could write a little JS code to access the devtools whose window shared the IndexedDB with the rest of all tabs (and cookies, and userdata etc).
If you take a look at the recent WebKit commits, it seems like there were a bunch of bugs related to the InjectedBundle, that's why I am assuming it might be a critical RCE that results in yet another use after free in the IndexedDB or related code.
Back when I forked off RetroKit as a WebKit fork, I also decided to reduce the attack surface in terms of what is shared across the web contexts. I decided to remove a lot of APIs that I thought were too unsafe, both in terms of tracking and exploitation. [3]
[1] https://googleprojectzero.github.io/0days-in-the-wild/0day-R...
[2] https://github.com/WebKit/WebKit/commits
(see also the other release versions, not only main branch)
[3] https://github.com/tholian-network/retrokit/blob/main/SECURI...
There’s only a certain subset of things a security response update can address and I don’t think they wanted to increase the version number just for this.