Change theme
Help
Press space for more information.
Show links for this issue (Shortcut: i, l)
Copy issue ID
Previous Issue (Shortcut: k)
Next Issue (Shortcut: j)
Sign in to use full features.
Vote: I am impacted
Notification menu
Refresh (Shortcut: Shift+r)
Go home (Shortcut: u)
Use Markdown for this comment
Set severity, which reflects how much the issue affects the use of the product
Change issue status back to 'Assigned'
Pending code changes (auto-populated)
Tracks the current rank of this item in the teams backlog [ID: 1225362]
Build number, such as 117.0.5911.2 [ID: 1223033]
Remove item
[ID: 1223031]
Enterprise>BrowserSwitcher
Select items in the list
Supplemental component tags only. Set main component first. [ID: 1222907]
[ID: 1223136]
he CWE ID for the type of security defect the current issue is describing. [ID: 1410892]
Design doc to be reviewed. [ID: 1223032]
[ID: 1223131]
How many engineer days the task is estimated to take. [ID: 1225337]
[ID: 1223081]
[ID: 1223087]
[ID: 1223134]
Milestone(s) impacted by this issue. [ID: 1223085]
Date of next expected progress update or deadline for providing requested information. [ID: 1225154]
[ID: 1223083]
[ID: 1223084]
[ID: 1223086]
[ID: 1223034]
Link to incidents in IRM as a result of this ticket. [ID: 1300460]
[ID: 1223088]
[ID: 1223135]
This field contains Gerrit urls of code changes that ‘fix’ a security bug (i.e., excluding logging/cleanup commits) and is used when a singular fix cannot be uniquely identified from the existing “Code Changes” field. The change can be in the chromium repo or any other third_party repo. [ID: 1358989]
Set the version(s) of the product affected by this issue (comma-separated list)
Set the version(s) of the product in which the issue should be fixed (comma-separated list)
Set the version(s) of the product in which the issue fix was verified (comma-separated list)
Set if this issue occurs in production
Enterprise
[ID: 1253656]
Set Reporter
Set Type
Set priority, which reflects how soon the issue should be fixed
Set Status
Set Assignee
Set Verifier
View or edit staffing
View issue level access limits(Press Alt + Right arrow for more information)
Description
#1The "url" query parameter of the chrome://browser-switch allows HTML injection when the value is a file:/// scheme URL. This vulnerability could be exploited to craft a malicious link that, when opened, displays a convincing phishing message along with a download link.
Any attempt of script injecting was blocked thanks to chrome://resources/js/parse_html_subset.js.
VERSION
Chrome Version: 122.0.6261.129 stable
Operating System: Windows 11 Version 22H2
REPRODUCTION CASE
Go to the following link:
chrome://browser-switch/?url=file:///BUG1337<br><strong>To fix this issue please download and open the following file: <a href="
In a real life situation, this bug could be exploited by any Chrome extension with the "tabs" permission. A simple extension demonstrating this exploit is attached.
CREDIT INFORMATION
Reporter credit: Oleg