A flaw in Google Chrome’s Cast handling allows a remote attacker who has already compromised the renderer process to craft a malicious HTML page that forces the browser to navigate to arbitrary URLs without the user’s consent. This improper authorization error gives the attacker control over the browsing flow, which can be used for phishing, click‑jacking or other malicious redirections. The weakness is identified as improper authorization (CWE‑693).

The security issue applies to all desktop builds of Google Chrome released before version 148.0.7778.96. No specific operating system is mentioned in the provided data, so all platforms using Chrome are potentially susceptible under the stated version constraint.

Exploitation requires an attacker to first gain control of the renderer process, implying that a separate local code execution or privilege escalation vulnerability is needed as a prerequisite. Once that condition is met, a crafted HTML page can trigger a Cast‑initiated navigation to a malicious URL. The CVSS score of 5 indicates medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Chromium labels the issue as low severity, suggesting that while the impact is significant from a user‑experience standpoint, it does not lead to remote code execution or direct data compromise on its own.