- The vulnerability was uncovered by security researcher Michal Bentkowski and reported to Google.
- Threat actors could exploit the flaw to manipulate the CSP Header and perform
clickjacking, cross-site scripting, code injection attacks and more on
particular web page.
A new high severity vulnerability has been discovered in Google Chrome in late May that affects all major operating systems including Windows, Mac and Linux. The flaw was uncovered by security researcher Michal Bentkowski and reported to Google.
The Chrome security team did not reveal specific details about the bug, noting that “such details and links may be kept restricted until a majority of users are updated with a fix.”
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," the team added.
The vulnerability - tracked as CVE-2018-6148 - involved the incorrect handling of CSP header. The Content Security Policy (CSP) header allows website admins to control resources that the browser is allowed to load, thereby including another layer of security for their webpage.
Threat actors targeting the CSP header could manipulate it to perform clickjacking, cross-site scripting, code injection attacks and more on particular web page. An attacker could set up arbitrary headers to bypass header-based CSRF protection.
The patch for the vulnerability has already been rolled out in a new Google update.
The latest Google Chrome update 67.0.3396.79 has been released for for Windows, Mac and Linux operating systems. Users have been advised to implement the Google browser update for a secure web browser.