Impact
An inappropriate implementation in Google Chrome extensions on Android, before version 150.0.7871.47, allows an attacker who persuades a user to install a malicious extension to bypass the browser’s same origin policy. The vulnerability is classified as high severity by Chromium. This bypass could enable the extension to access or manipulate data and resources from other origins, potentially leading to data theft, privilege escalation within the browser, or facilitating further attacks such as cross-site scripting.
Affected Systems
Google Chrome on Android, versions earlier than 150.0.7871.47.
Risk and Exploitability
The CVSS equivalents and exploit probability (EPSS) are not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploit yet. The attack vector is likely user-initiated: an attacker requires convincing a user to install a malicious extension, for example via social engineering or compromised extension stores. Once installed, the extension can then bypass same origin policy constraints. The overall risk remains high due to the potential for widespread data exposure on affected devices.
OpenCVE Enrichment