Older iOS devices are seriously vulnerable to this active exploit.
The attackers have mostly pwned any iOS 12 device they could find.

Apple has issued an emergency patch for older kit to fix a WebKit security
flaw that Cupertino warns is under active attack.
https://www.theregister.com/2023/01/24/apple_iphone_bug_under_exploit/

On Monday, Apple released iOS 12.5.7 for iPhone 5s, iPhone 6, iPhone 6
Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch.
It also updated iOS and iPadOS 15 and 16, but it appears that, at least as
of now, attackers are only going after devices running the very-old iOS 12.

If you have one of these older devices, we'd suggest updating to the new
iOS immediately as the vulnerability that it fixes, tracked as
CVE-2022-42856, sounds like a nasty one. Websites, for one, can exploit
this flaw to hijack vulnerable phones that surf by.

"Processing maliciously crafted web content may lead to arbitrary code
execution," Apple warned in the security update. "Apple is aware of a this
issue may has been actively exploited against versions of iOS released
before iOS 15.1."

Apple didn't provide any other details about who is responsible for the
in-the-wild exploits. The bug was, however, discovered by Google Threat
Analysis Group's Cl�ment Lecigne, and that's significant because TAG tracks
nation-state attackers and commercial spyware, so it's unlikely that the
CVE-2022-42856 exploits will be attributed to a bunch of script kiddies.

Also, if CVE-2022-42856 sounds familiar, it should. Apple patched the
vulnerability in iOS 16 in December and iOS 15 in November. But not
everyone updates or can update.