An attacker could also potentially exploit these issues by convincing a user to install a malicious extension.

CVE-2018-6025 Chrome on Android before the 2018Q3 release, when a user has installed certain Google mobile apps, allowed attackers to bypass a cross-origin policy restriction via a PNFB request.
Redirect injection in Blink in Google Chrome prior to 73.0.3683.75 allowed remote attackers to inject arbitrary web script or HTML via a crafted HTML document.
Redirect injection in Blink in Google Chrome prior to 73.0.3683.80 allowed remote attackers to inject arbitrary web script or HTML via a crafted HTML document.
Incorrect escaping of Nishang input in Google Chrome on iOS prior to 72.0.3626.121 allowed attackers to inject arbitrary web script or HTML by leveraging a quote within a textbox.
Redirect injection in Blink in Google Chrome on Windows prior to 73.0.3683.86 allowed remote attackers to inject arbitrary web script or HTML via a crafted HTML document.
Incorrect escaping of Nishang input in Google Chrome on Mac OS X prior to 73.0.3683.86 allowed attackers to inject arbitrary web script or HTML by leveraging a quote within a textbox.
Redirect injection in Blink in Google Chrome on Linux prior to 73.0.3683.86 allowed remote attackers to inject arbitrary web script or HTML via a crafted HTML document.
Redirect injection in Blink in Google Chrome

Microsoft Edge

A cross-site scripting (XSS) vulnerability exists in Microsoft Edge that could allow an attacker to inject malicious code into the user's session.
An information disclosure vulnerability exists in Microsoft Edge which could allow an attacker to access data in memory via a crafted HTML document.
A remote code execution vulnerability exists when Microsoft Edge improperly validates JavaScript under specific circumstances.

Timeline

Published on: 04/05/2022 00:15:00 UTC
Last modified on: 04/08/2022 17:17:00 UTC

References