Impact
A flaw in the ScriptInjections component of Google Chrome on iOS allows a remote attacker to craft an HTML page that causes the browser to expose data from a different origin. The vulnerability enables the attacker to read information that should be protected by the same‑origin policy, potentially revealing sensitive user data, credentials, or other confidential content. The weakness stems from an insecure handling of script injection handling and can lead to information disclosure.
Affected Systems
The issue affects all users of Google Chrome on iOS devices running versions prior to 150.0.7871.47. In particular, iOS installations of Chrome that have not applied the stable channel update contain the vulnerable code. All users of this version on iOS are subject to the risk, including Enterprise and consumer deployments. No other products or platforms are listed as affected.
Risk and Exploitability
The vulnerability is rated as Medium in Chromium’s security severity, but exact CVSS metrics are not provided in the public record. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploits are known at this time. Based on the description, the likely attack vector is a malicious web page served to the victim’s device, so any user who visits a compromised site could trigger the data leak. Without requiring elevated privileges, the flaw can be exploited through normal browsing activity, making it a significant risk for users who may unknowingly visit malicious content.
OpenCVE Enrichment