Insufficient Content Security Policy Enforcement in Google Chrome
CVE-2017-15387

8.8HIGH

Key Information:

Vendor
Google
Status
Google Chrome Prior To 62.0.3202.62
Vendor
CVE Published:
7 February 2018

Summary

A vulnerability exists in Google Chrome due to insufficient enforcement of the Content Security Policy within the Blink rendering engine. This flaw allows remote attackers to potentially exploit crafted HTML pages to open javascript: URL windows, which should otherwise be restricted. As a result, unauthorized actions could be executed within the browser, potentially compromising user data and privacy. Users are advised to update to the latest version of Google Chrome to mitigate risks associated with this vulnerability.

Affected Version(s)

Google Chrome prior to 62.0.3202.62 Google Chrome prior to 62.0.3202.62

References

http://www.securityfocus.com/bid/101482
vdb-entryx_refsource_BID
https://crbug.com/756040
x_refsource_MISC
https://chromereleases.googleblog.com/2017/10/stable-chan...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.