CVE-2017-5033

MEDIUM

Google Chrome <57.0.2987.98-57.0.2987.108 - XSS

Title source: llm

Description

Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword.

References (7)

[Issue Tracking] https://crbug.com/669086

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2017-0499.html

[Release Notes, Vendor Advisory] https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

[Various Sources] https://twitter.com/Ma7h1as/status/907641276434063361

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/96767

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3810

[Third Party Advisory] https://security.gentoo.org/glsa/201704-02

Scores

CVSS v3 4.3

EPSS 0.0061

EPSS Percentile 69.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-281

Status published

Affected Products (7)

google/chrome < 57.0.2987.75

debian/debian_linux

redhat/enterprise_linux_desktop

redhat/enterprise_linux_server

redhat/enterprise_linux_workstation

n/a/Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android < Google Chrome prior to 57.0.2987.98 for Mac, Windows and Linux, and 57.0.2987.108 for Android

Timeline

Published Apr 24, 2017

Tracked Since Feb 18, 2026