If you’ve decided not to make the move to macOS Sierra, you can still update to Safari 10 on your Mac running OS X El Capitan or Yosemite, and experience most of the new browser’s features.
Safari 10 for El Capitan and Yosemite does not offer features such as the Sierra-only picture-in-picture support for video, and Apple Pay on the web, but it does include the following new features:
The updated browser also offers a number of security updates, such as a fix for a number of WebKit vulnerabilities, and offers fixes for issues related to Safari Tabs and Reader.
Safari Reader
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting
Description: Multiple validation issues were addressed through improved input sanitization.
CVE-2016-4618: an anonymous researcher
Safari Tabs
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A state management issue existed in the handling of tab sessions. This issue was addressed through session state management.
CVE-2016-4751: Daniel Chatfield of Monzo Bank
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A parsing issue existed in the handling of error prototypes. This was addressed through improved validation.
CVE-2016-4728: Daniel Divricean
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Visiting a maliciously crafted website may leak sensitive data
Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks.
CVE-2016-4758: Masato Kinugawa of Cure53
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-2016-4611: Apple
CVE-2016-4729: Apple
CVE-2016-4730: Apple
CVE-2016-4731: Apple
CVE-2016-4734: Natalie Silvanovich of Google Project Zero
CVE-2016-4735: André Bargull
CVE-2016-4737: Apple
CVE-2016-4759: Tongbo Luo of Palo Alto Networks
CVE-2016-4762: Zheng Huang of Baidu Security Lab
CVE-2016-4766: Apple
CVE-2016-4767: Apple
CVE-2016-4768: Anonymous working with Trend Micro’s Zero Day Initiative
CVE-2016-4769: Tongbo Luo of Palo Alto Networks
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: A malicious website may be able to access non-HTTP services
Description: Safari’s support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version.
CVE-2016-4760: Jordan Milne
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved state management.
CVE-2016-4733: Natalie Silvanovich of Google Project Zero
CVE-2016-4765: Apple
WebKit
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: An attacker in a privileged network position may be able to intercept and alter network traffic to applications using WKWebView with HTTPS
Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed through improved validation.
CVE-2016-4763: an anonymous researcher
(Via MacRumors)