Vulnerability Description
The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigger unintended JavaScript function calls and bypass the Same Origin Policy via an indirect interception attack.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chrome | <= 53.0.2785.101 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2016-1905.html
- http://www.debian.org/security/2016/dsa-3667
- http://www.securityfocus.com/bid/92942
- http://www.securitytracker.com/id/1036826
- https://codereview.chromium.org/1840453002
- https://crbug.com/468931
- https://crbug.com/471523
- https://crbug.com/497507
- https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desk
- https://security.gentoo.org/glsa/201610-09
- http://rhn.redhat.com/errata/RHSA-2016-1905.html
- http://www.debian.org/security/2016/dsa-3667
- http://www.securityfocus.com/bid/92942
- http://www.securitytracker.com/id/1036826
- https://codereview.chromium.org/1840453002
FAQ
What is CVE-2016-5173?
CVE-2016-5173 is a vulnerability with a CVSS score of 7.1 (HIGH). The extensions subsystem in Google Chrome before 53.0.2785.113 does not properly restrict access to Object.prototype, which allows remote attackers to load unintended resources, and consequently trigg...
How severe is CVE-2016-5173?
CVE-2016-5173 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-5173?
Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome.