Impact
Insufficient validation of untrusted input in Chrome for iOS permits a remote attacker to craft an HTML page that triggers a cross‑origin data leak. The flaw allows the browser to access data from another origin that the user should not see, leading to exposure of confidential information such as cookies, local storage, or other sensitive data. This is a high‑severity confidentiality compromise with no impact on integrity or availability.
Affected Systems
The vulnerability affects Google Chrome for iOS versions earlier than 150.0.7871.47. Any installation of Chrome for iOS before this release is susceptible, while newer releases include the necessary input validation fix. The issue is vendor‑specific and does not extend to other browsers on iOS.
Risk and Exploitability
The flaw is classified as high severity. An EPSS score is not available, and it is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker delivering a specially crafted HTML page that the victim opens in Chrome for iOS; exploitation requires the user to render the malicious page, which normally demands user interaction or the attacker to lure the victim to the page. Because the vulnerability relies on a browser blob of HTML, there are no privileged conditions required beyond normal browsing.
OpenCVE Enrichment