Researchers from Tencent and PerimeterX found a zero-day bug in Chromium browsers of Android, Windows and Mac. The issue is with Content Security Policy (CSP), where it could be exploited by injecting malicious code into the properties of HTML elements of a website, thus failing the CSP protocol. A patch is made available by Google for Chrome.
Zero-day Bugs in Chromium Browsers
Chrome, Edge, Opera, Brave and several others are dependent on Chromium as their underlying technology. So any vulnerability existing in the Chromium would eventually affect the browsers based on it. And here’s one that users of them should be worried about.
Researchers at PerimeterX has disclosed a zero-day bug in March this year, which affects the Content Security Policy in Chromium, thereby browsers based on it.
The CSP is an added layer of security that prevents attacks like cross-site scripting. By virtue, a website can order the browser to check on its side for any malicious scripts, thereby blocking them to prevent the content exploitation.
It specifies certain websites as “valid sources of executable scripts so that a CSP-compatible browser only executes scripts loaded in source files received from those allow-listed domains, ignoring all others“, as per The Hacker News. This can be circumvented by configuring CSP of a website bypassing a malicious JavaScript code in the “src” property of an HTML iframe element.
This bypassing technique was reported by Xuanwu Lab of Tencent Security in March 2019 but wasn’t considered back then. And now, after PerimeterX reported, Google has passed a fix for this in last month in the form of version 84.0.4147.89. Users are recommended to update immediately to the new version, and website owners should be using nonce and hash capabilities of CSP for added security.
