Hacker News new | comments | show | ask | jobs | submit login
Chrome 61 UXSS (CVE-2017-5124) (github.com)
31 points by i_bo0om on Nov 14, 2017 | hide | past | web | favorite | 4 comments

This seems to be explained in better detail by https://bo0om.ru/chrome-and-safari-uxss. Working via Google Translate, the claim seems to be that using MHTML and XSLT allows you to bypass the sandboxing rules and inject JavaScript that bypasses the same-origin policy.

The linked blog credits a Chromium patch that led to the discovery of this exploit: https://chromium-review.googlesource.com/c/chromium/src/+/65...

https://securityespresso.org/translations/2017/11/14/chrome-... not sure the accuracy, in case folks can't hit .ru @ work.

Wow, nice work)

This is available before the security issue is expected to be made public in 14 weeks window & exactly why you need to keep whatever Chromium engine in your application up-to-date.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact