A flaw in Chrome’s fullscreen rendering logic allowed a malicious web page to display a deceptive security interface when the browser was in fullscreen. The vulnerability does not grant code execution or data exfiltration; it simply lets a remote attacker craft a UI that mimics legitimate browser dialogs, potentially convincing a user to provide credentials or perform unintended actions.

Google Chrome desktop releases older than 147.0.7727.55 on any supported operating system are affected. Users who browse the Internet with such versions should avoid allowing websites to request fullscreen, as the UI could be spoofed.

Chromium labels the issue a Medium severity, but no numeric CVSS score is supplied. EPSS data is unavailable and the vulnerability is not in the CISA KEV catalog. Attack requires a remote attacker to host a malicious page and a user to visit and enable fullscreen; the exploitation is limited to social‑engineering or phishing scenarios rather than arbitrary code execution.