CVE-2014-7939
Google Chrome < 40.0.2214.91 - Same Origin Policy Bypass via Proxy.create and console.log
Title source: llmDescription
Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header.
References (9)
Core 9
Core References
Release Notes, Vendor Advisory x_refsource_confirm
http://googlechromereleases.blogspot.com/2015/01/stable-update.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-201502-13.xml
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-0093.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/62383
Issue Tracking x_refsource_confirm
https://code.google.com/p/chromium/issues/detail?id=399951
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/62665
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/72288
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1031623
Scores
EPSS
0.0069
EPSS Percentile
72.1%
Details
CWE
CWE-264
Status
published
Products (8)
chromium/chromium
40.0.2214.110
google/chrome
< 40.0.2214.85
opensuse/opensuse
13.1
opensuse/opensuse
13.2
redhat/enterprise_linux_desktop_supplementary
6.0
redhat/enterprise_linux_server_supplementary
6.0
redhat/enterprise_linux_server_supplementary_eus
6.6.z
redhat/enterprise_linux_workstation_supplementary
6.0
Published
Jan 22, 2015
Tracked Since
Feb 18, 2026