The touch-events implementation in WebKit in Apple iOS before 8.3 allows remote attackers to trigger an association between a tap and an unintended web resource via a crafted web site.
http://lists.apple.com/archives/security-announce/2015/Apr/msg00002.html