Impact
Chrome for iOS contains an information‑leakage flaw where WebAuthentication may reveal data from other origins through a side‑channel. By loading a specially crafted HTML page, a remote attacker can trigger the leak and obtain sensitive information that would normally be protected by same‑origin policies. The weakness, categorized as CWE‑1300, involves improper handling of authentication material across origins, allowing the attacker to read data the malicious page can access, although it does not grant system control. The severity is assessed as low according to Chromium’s official rating.
Affected Systems
The issue affects Google Chrome on iOS devices running versions prior to 150.0.7871.47. All installations of Chrome below that version running on iOS are vulnerable.
Risk and Exploitability
Exploitability is remote, relying on the victim visiting a malicious web page that triggers the WebAuthentication side‑channel. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, which indicates a low risk of widespread exploitation at this time. However, because the attack vector is simple—load a crafted page—any user who visits malicious content on an affected Chrome browser could have their origin data exposed.
OpenCVE Enrichment