The security hole was around for about 3 years until finally Apple patched it. According to Adi Sharabani and Yair Amit, from security company Skycure , that’s how long it took Apple to do something about it. They reported their findings back in June 3, 2013 and only disclosed information about the vulnerability, after Apple fixed it. According to their blog post here is how an attacker would have gained access to your device :
•Steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site.
•Perform a session fixation attack, logging the user into an account controlled by the attacker–because of the shared Cookie Store, when the victims browse to the affected website via Mobile Safari, they will be logged into the attacker’s account instead of their own.
On the other hand Apple failed to fix the battery percentage issue I mentioned earlier. You still have to use the workaround. For a full list of security bugs and fixes, make sure you check out the Apple Support page about iOS 9.2.1.