The loophole is in the iOS Webkit and allows universal cross site scripting. If the user visits an infected website, the malware can access data from other open websites or websites in the cache. Such attacks are mostly used to lure users to other manipulated websites or to steal login data.
Update for older iPhones too
The update is available as iOS 14.4.2 for iPhone and iPadOS 14.4.2 for iPad. For older iPhones and iPads (iPhone 5S, iPhone 6, iPhone 6 Plus, iPad mini 2, iPad mini 3, iPad Air) there is an update with iOS 12.5.2 that closes the gap. For the Apple Watch, the corresponding update is called WatchOS 7.3.3.
The update is installed as usual via the system settings, under “General” and “Software update”.