CVE-2017-5244 In the WebAuthn authenticator, the handling of unverified requests during the initial interaction flow has been improved. This issue is known as ' Interaction flow through WebAuthn API with unverified requests in Google Chrome prior to 69.0.3497.0 allowed a remote attacker to trick an unauthenticated user by triggering an in-bubble autocomplete. This issue has been addressed by restricting the autocomplete options to those that are expected during the sign-in flow. For example, if the intent is to open a link, the link should open. If the intent is to open an XSS attack, the user should be warned. CVE-2017-5262 In the WebAuthn authenticator, the handling of unverified requests during the initial interaction flow has been improved. This issue is known as ' Interaction flow through WebAuthn API with unverified requests in Google Chrome prior to 69.0.3497.0 allowed a remote attacker to trick an unauthenticated user by triggering an in-bubble autocomplete. This issue has been addressed by restricting the autocomplete options to those that are expected during the sign-in flow. For example, if the intent is to open a link, the link should open. If the intent is to open an XSS attack, the user should be warned. CVE-2017-5263 In the WebAuthn authenticator, the handling of unverified requests
Google Chrome span style="color: red;"
This issue is known as ' Inappropriate red highlighting of the Accept button in WebAuthn authenticator.
This issue has been addressed by changing the background color of the Accept button to red when a user either selects or clicks on it, and then highlights it when the result is successful.
Concurrency and Synchronization (CAS)
The Web Authentication credential management API has been updated to address concurrency and synchronization issues that might have resulted in credential loss.
Timeline
Published on: 07/26/2022 22:15:00 UTC
Last modified on: 08/15/2022 11:16:00 UTC