Impact
Insufficient policy enforcement in Chrome's StorageAccessAPI allowed an attacker who had already compromised the renderer process to bypass the same‑origin policy by loading a crafted HTML page. This flaw permits the attacker to access resources that are normally restricted same browser context, potentially leading to cross‑origin data leakage or unauthorized manipulation of web content. The impact is limited to situations where the renderer has been compromised; execution or privileges beyond the renderer process. The vulnerability is classified as CWE-284 (Improper Access Control).
Affected Systems
Google Chrome versions prior to 150.0.7871.47 are affected. The issue was addressed in the 150.0.7871.47 release and later. While only Chrome is listed as a vendor, any systems running those vulnerable versions are at risk.
Risk and Exploitability
The exploitation requires first compromising the renderer process, which typically involves a separate vulnerability or a compromised webpage. Once the attacker achieves this, they can craft a malicious page to exploit the StorageAccessAPI flaw, bypassing same‑origin restrictions. The CVSS score of 6.5 indicates moderate severity, and the EPSS score of 0.0018 reflects a very low perceived exploitation likelihood. The vulnerability is not listed in CISA KEV, suggesting no widespread exploitation has been observed. Nevertheless, any environment where Chrome is exposed to potentially malicious content should apply the patch promptly to avoid the risk of cross‑origin data access in the event of a renderer compromise.
OpenCVE Enrichment