This issue was addressed by fixing the HTML parser. CVE-2018-5688 In all Google releases from May through October 2018, there was insufficient warning about the new data origin feature in data URLs. This could lead to a situation where an attacker could misrepresent a URL as being from Google even though it was not, with potentially disastrous results. This issue was addressed with improved URL validation.
CVE-2018-6939 In all versions of Google Chrome prior to 73.0.3683.75, if a user had disabled remote debugging on a device, then attempted to launch the debugger from a page with an X-Frame-Options: SAMEORIGIN header, the remote debugging functionality would not be activated, resulting in an error indicating that the page does not exist. With remote debugging being disabled by default prior to 73.0.3683.75, this issue could potentially be used by an attacker to convince a user that their system has been hacked, and that their data has been compromised. This issue was fixed by adding an X-Frame-Options: SAMEORIGIN header to the warning message.
CVE-2018-6943 In all versions of Google Chrome prior to 73.0.3683.75, data URLs that were opened by clicking on an email message or RSS feed would open in Incognito mode by default. This could be used by an attacker to trick a user into disclosing sensitive information. This issue was fixed by making these
Published on: 02/12/2022 02:15:00 UTC
Last modified on: 03/31/2022 01:32:00 UTC