Impact
An implementation defect in Chrome’s DataTransfer handling on macOS allows a remote attacker to trick a user into performing specific UI gestures on a crafted web page, resulting in the accidental leakage of data shared across origin boundaries. The flaw does not give the attacker direct execution or remote code privileges; instead it exploits improper access controls within the browser’s internal data transfer mechanisms to expose sensitive information to a malicious site. Consequently, confidential data such as clipboard contents or drag‑drop data can be disclosed to a third‑party origin, undermining data confidentiality for users that interact with affected pages.
Affected Systems
Google Chrome for macOS installations with versions prior to 150.0.7871.47 are vulnerable. Users of older Chrome releases on macOS devices are at risk until they upgrade to the patched version or a later release that contains the fix.
Risk and Exploitability
The CVSS severity is listed as Medium; the EPSS score is not yet available, indicating insufficient current evidence of widespread exploitation. The vulnerability is not included in CISA’s KEV catalog. Exploitation requires a user to be convinced to execute specific UI gestures, implying the attack vector relies on social engineering and user interaction rather than a purely automatic remote trigger. Given these constraints, the immediate operational risk is moderate but can still lead to unintended data exposure if users fall victim to a phishing‑style prompt.
OpenCVE Enrichment