Insufficient Policy Enforcement in Google Chrome Affects Multiple Platforms
CVE-2017-5060

6.5MEDIUM

Key Information:

Vendor
Google
Status
Google Chrome Prior To 58.0.3029.81 For Mac, Windows And Linux, And 58.0.3029.83 For Android
Vendor
CVE Published:
27 October 2017

Summary

A vulnerability in the Omnibox component of Google Chrome allows remote attackers to exploit insufficient policy enforcement. The flaw enables domain spoofing by leveraging IDN homographs, where deceptive domain names can impersonate legitimate ones. As a consequence, users may inadvertently visit malicious sites that visually resemble trustworthy domains. This issue affects multiple platforms, including Mac, Windows, Linux, and Android, particularly in versions prior to 58.0.3029.81 for desktop and 58.0.3029.83 for mobile devices. It underscores the importance of implementing strict domain name validations to enhance user security.

Affected Version(s)

Google Chrome prior to 58.0.3029.81 for Mac, Windows and Linux, and 58.0.3029.83 for Android Google Chrome prior to 58.0.3029.81 for Mac, Windows and Linux, and 58.0.3029.83 for Android

References

https://access.redhat.com/errata/RHSA-2017:1124
vendor-advisoryx_refsource_REDHAT
https://security.gentoo.org/glsa/201705-02
vendor-advisoryx_refsource_GENTOO
https://crbug.com/683314
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.