An easy-to-exploit cross-site scripting (XSS) vulnerability was located in Yahoo Mail's mobile site by security researcher, Ibrahim Raafat.
All an attacker needed to do was compose an email that contains an XSS payload and send it to their target. The payload was completed once the victim opened their Yahoo Mail from the mobile site. The malicious code could've been executed even without the victim opening the attacker's email—simply opening the inbox from the mobile site was enough to do the trick.
Raafat reported that the flaw did not affect Yahoo Mail mobile applications. Yahoo! was advised of the vulnerability on 11 November via HackerOne. The flaw was patched on 21 November.