Impact
An improper implementation of Chrome’s PerformanceAPIs permits a remote attacker who delivers a crafted HTML page to the victim to read data originating from a different origin. The flaw could lead to the disclosure of confidential or sensitive information, representing a breach of confidentiality but not directly compromising system integrity or availability.
Affected Systems
Versions of Google Chrome released before 150.0.7871.47 are affected. The vulnerability resides in the PerformanceAPIs module of the browser and is triggered by a maliciously crafted web page whose source is controlled by the attacker.
Risk and Exploitability
The official Chromium severity for this issue is Medium, and no EPSS score is available. The problem is not listed in the CISA KEV catalog. Exploitation requires a victim to load a malicious page in the victim’s browser, which is a typical web‑based attack scenario. While the exact likelihood of remote exploitation cannot be quantified without an EPSS value, the lack of immediate patching exposes users to potential data leakage from other origins.
OpenCVE Enrichment