Impact
The vulnerability is an inappropriate implementation in Chrome for iOS that permits a remote attacker to craft an HTML page which can replace the legitimate contents of the Omnibox (URL bar) when viewed in the browser. This allows the attacker to deceptively alter what the user sees as the current URL, making it appear that the user is visiting a different site. The primary impact can facilitate phishing attacks or other social engineering exploits. It does not grant code execution or direct system compromise.
Affected Systems
Affected software is Google Chrome for iOS. Versions prior to 150.0.7871.47 are vulnerable. Any device running these earlier Chrome for iOS builds is at risk.
Risk and Exploitability
The vulnerability has a high severity rating by Chromium, but no CVSS score is reported in the provided data, and the EPSS score is not available. The attack requires the attacker to serve a crafted HTTP(S) page that the user must open in Chrome for iOS; no special privileges are needed on the device. Because the attacker only needs to provide a malicious webpage, the likelihood of exploitation in the wild is moderate; however, the deception potential is significant. The vulnerability is not currently listed in the CISA KEV catalog.
OpenCVE Enrichment