CVE-2017-15387 in Chrome
Summary
by MITRE
Insufficient enforcement of Content Security Policy in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to open javascript: URL windows when they should not be allowed to via a crafted HTML page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/03/2023
The vulnerability identified as CVE-2017-15387 represents a critical weakness in Google Chrome's Blink rendering engine that compromised the browser's security model. This flaw existed in Chrome versions prior to 62.0.3202.62 and specifically targeted the Content Security Policy (CSP) implementation, which serves as a fundamental web security mechanism designed to prevent various types of code injection attacks. The vulnerability allowed attackers to bypass CSP restrictions that should have prevented the execution of javascript: URLs in certain contexts, creating a significant attack surface that could be exploited by malicious actors.
The technical flaw stems from insufficient enforcement of Content Security Policy directives within the Blink engine's URL handling mechanisms. When a web page contained crafted HTML elements that triggered javascript: URLs, the browser's CSP implementation failed to properly validate whether such operations should be permitted based on the policy configuration. This weakness specifically affected how the browser handled URL window openings, allowing remote attackers to execute javascript: URLs that would normally be blocked by CSP policies. The vulnerability essentially created a bypass mechanism where CSP restrictions could be circumvented through carefully constructed HTML content that manipulated the browser's URL processing behavior.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it enabled attackers to perform cross-site scripting attacks and potentially gain unauthorized access to user sessions or sensitive information. An attacker could craft malicious web pages that would open javascript: URLs in new windows or tabs, potentially executing malicious code that would otherwise be blocked by CSP policies. This flaw particularly affected web applications that relied heavily on CSP for protection against XSS attacks, as the vulnerability allowed attackers to bypass these protections entirely. The attack vector required only a victim to visit a malicious web page, making it particularly dangerous in phishing campaigns or compromised websites.
This vulnerability aligns with CWE-16 Configuration and maps directly to ATT&CK technique T1211 Command and Scripting Interpreter, as it enabled attackers to execute malicious JavaScript code through manipulated URL handling. The flaw also connects to broader security principles outlined in the OWASP Top Ten, specifically addressing the risk of insecure direct object references and insufficient logging and monitoring. Organizations using affected Chrome versions were exposed to potential data breaches, session hijacking, and other malicious activities that could compromise user privacy and system integrity. The vulnerability demonstrates the critical importance of proper CSP enforcement in modern web browsers and highlights the risks associated with incomplete security policy implementations in complex software systems.
Mitigation strategies for CVE-2017-15387 primarily involve immediate updating of Google Chrome to version 62.0.3202.62 or later, which contained the necessary patches to properly enforce Content Security Policy restrictions. System administrators should also implement additional security measures such as monitoring for suspicious URL patterns and ensuring that CSP policies are properly configured with strict directives. Organizations should conduct regular security assessments to verify that their browser security configurations remain effective against similar vulnerabilities. The patch released by Google addressed the core enforcement mechanism that allowed javascript: URLs to bypass CSP restrictions, restoring proper security boundaries within the browser's rendering engine.