This issue was addressed by fixing the HTML parser. CVE-2018-5688 In all Google releases from May through October 2018, there was insufficient warning about the new data origin feature in data URLs. This could lead to a situation where an attacker could misrepresent a URL as being from Google even though it was not, with potentially disastrous results. This issue was addressed with improved URL validation.

CVE-2018-6939 In all versions of Google Chrome prior to 73.0.3683.75, if a user had disabled remote debugging on a device, then attempted to launch the debugger from a page with an X-Frame-Options: SAMEORIGIN header, the remote debugging functionality would not be activated, resulting in an error indicating that the page does not exist. With remote debugging being disabled by default prior to 73.0.3683.75, this issue could potentially be used by an attacker to convince a user that their system has been hacked, and that their data has been compromised. This issue was fixed by adding an X-Frame-Options: SAMEORIGIN header to the warning message.

CVE-2018-6943 In all versions of Google Chrome prior to 73.0.3683.75, data URLs that were opened by clicking on an email message or RSS feed would open in Incognito mode by default. This could be used by an attacker to trick a user into disclosing sensitive information. This issue was fixed by making these

HTML Parsing

Hackers have a number of options to choose from when they target your website. They can leverage vulnerabilities in your website's code, they can use brute force methods, or they can try to impersonate you. One way hackers can gain access to your website is by injecting malicious code into your site's HTML files. For example, if an attacker injected javascript code into your HTML file that would allow them to steal information from the user.

Timeline

Published on: 02/12/2022 02:15:00 UTC
Last modified on: 03/31/2022 01:32:00 UTC

References