Insufficient Policy Enforcement in Google Chrome Affecting Multiple Platforms
CVE-2017-5046

4.3MEDIUM

Key Information:

Vendor
Google
Status
Google Chrome Prior To 57.0.2987.98 For Mac, Windows And Linux, And 57.0.2987.108 For Android
Vendor
CVE Published:
24 April 2017

Summary

The vulnerability in Google Chrome stems from inadequate enforcement of security policies within the V8 engine, which can be exploited by remote attackers. By crafting a malicious HTML page, an attacker is able to spoof the location object. This exploitation can lead to unintended information disclosure through the Blink rendering engine, potentially compromising user sessions or privacy. The affected versions are prior to 57.0.2987.98 for Mac, Windows, and Linux and prior to 57.0.2987.108 for Android.

Affected Version(s)

Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android

References

https://chromereleases.googleblog.com/2017/03/stable-chan...
x_refsource_CONFIRM
https://security.gentoo.org/glsa/201704-02
vendor-advisoryx_refsource_GENTOO
https://crbug.com/680409
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.