Description
The Hook_Terminate function in chrome_frame/protocol_sink_wrap.cc in the Google Chrome Frame plugin before 26.0.1410.28 for Internet Explorer does not properly handle attach tab requests, which allows user-assisted remote attackers to cause a denial of service (application crash) via an _blank value for the target attribute of an A element.
References (5)
Core 5
Core References
Patch x_refsource_confirm
http://src.chromium.org/viewvc/chrome/trunk/src/chrome_frame/protocol_sink_wrap.cc?r1=185956&r2=185955&pathrev=185956
Vendor Advisory x_refsource_confirm
https://chromiumcodereview.appspot.com/12395021
Release Notes, Vendor Advisory x_refsource_confirm
http://googlechromereleases.blogspot.com/2013/03/beta-channel-update.html
Vendor Advisory x_refsource_confirm
http://src.chromium.org/viewvc/chrome?view=rev&revision=185956
Issue Tracking x_refsource_confirm
https://code.google.com/p/chromium/issues/detail?id=178415
Scores
EPSS
0.0112
EPSS Percentile
62.4%
Details
CWE
CWE-119
Status
published
Products (3)
google/chrome_frame
15.0.874.121
google/chrome_frame
16.0.912.63
google/chrome_frame
< 26.0.1410.27
Published
Mar 07, 2013
Tracked Since
Feb 18, 2026