CVE-2022-1868 An attacker could bypass navigation restrictions in Google Chrome if they convinced a user to install a malicious extension.
If you have installed a malicious extension or have a compromised device, an attacker could potentially trick you into visiting a specifically crafted website, causing Chrome to try to navigate to an external site instead of the desired one. This issue was resolved in Google Chrome 102.0.5 prior to 102.0.532. On Windows, Mac, and Linux, this issue was resolved in Google Chrome 72.0.3626.0. On iOS, Google Chrome was not vulnerable to this issue due to a limitation in how the WebKit rendering engine handles navigation requests.
Impact In the most common scenario, a malicious extension would be required to install on a targeted user's system. Once the user has clicked on a link or visited a malicious site, an attacker could trick Google Chrome into attempting to navigate to an external site with a malicious extension. BE FOREWARNED! In the scenario where an attacker has compromised a targeted user's system, an attacker could trick that user into visiting a specially crafted website, potentially compromising the user's system. If a user has not installed a malicious extension and has not visited a malicious site, this issue has no impact. What steps can you take to protect yourself? - Ensure that your device is running the latest version of Google Chrome. - Install extensions from trusted sources. - Avoid visiting malicious sites.
Overview: What is the 'Strict Site Inspector' Extension?
If you're familiar with the Chrome Web Store, you might have even installed the Strict Site Inspector extension. This extension is designed to catch any deviations from your web site's standards and report them to you in real time. If you're unfamiliar with it, but want to check it out, be sure to do so at a later date.
The Strict Site Inspector extension is a useful tool that can help identify any changes made by an attacker and notify you when something suspicious happens on your site. Install this extension if you want to get a clearer idea of what's happening on your website. In this article, we'll briefly discuss how this tool helps protect you from malicious activity.
Google has confirmed that it is actively investigating this issue and will update the public when there is more information.
This issue was resolved in Google Chrome 102.0.5 before the release of Google Chrome 102.0.532. On Windows, Mac, and Linux, this issue was resolved in Google Chrome 72.0.3626.0 before the release of Google Chrome 72.0.3626.65 . On iOS, this issue was not present due to a limitation in how the WebKit rendering engine handles navigation requests that occurred on iOS 11 before its release on October 31st 2017
How do I know if my device is vulnerable?
If you are using Google Chrome on Windows, Mac, or Linux and have installed a malicious extension or have a compromised system, an attacker could potentially trick you into visiting a specially crafted website. This issue has been resolved in Google Chrome 102.0.5 before 102.0.532. On Windows, Mac, and Linux, this issue was resolved in Google Chrome 72.0.3626.0 before 72.0.3627.1-r1 before 72.0.3627-r3 before 72.0.3628-rc1 in March 2018 and was not exploitable because the WebKit rendering engine does not permit navigation requests to external sites on iOS due to a limitation of how the rendering engine handles navigation requests on mobile devices with this version of WebKit.
What is Google Chrome?
Google Chrome is a browser developed by Google that runs on Windows, macOS, and Linux. It also has an iOS edition, which is the default mobile browser on iPhones and iPads. Google Chrome was released in 2008 as a free download from the web store at www.google.com/chrome.
A new release of Google Chrome will be available every six weeks or so with additional features and fixes to previous releases.
Timeline
Published on: 07/27/2022 22:15:00 UTC
Last modified on: 08/15/2022 11:17:00 UTC