CVE-2019-5840
published 2019-06-27CVE-2019-5840: Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.3770.80 allowed a remote attacker to bypass navigation restrictions via a crafted…
PriorityP276medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.06%
60.3th percentile
Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.3770.80 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 75.0.3770.80-1 | 75.0.3770.80-1 |
| chromium | chromium | >= 0 < 75.0.3770.80-1 | 75.0.3770.80-1 |
| chromium | chromium | >= 0 < 75.0.3770.80-1 | 75.0.3770.80-1 |
| chromium | chromium | >= 0 < 75.0.3770.80-1 | 75.0.3770.80-1 |
| debian | chromium | < chromium 75.0.3770.80-1 (bookworm) | chromium 75.0.3770.80-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 75.0.3770.80 | 75.0.3770.80 | |
| chrome | >= unspecified < 75.0.3770.80 | 75.0.3770.80 | |
| opensuse | backports | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·Vulnerability affects Google Chrome on iOS only, prior to version 75.0.3770.80. The bypass is triggered via a crafted HTML page exploiting incorrect security UI in the popup blocker. ↗
- ·Fixed in Chromium package version 75.0.3770.80-1 across Debian releases (bookworm, bullseye, forky, sid, trixie). ↗
- ·Red Hat addressed this issue in Red Hat Enterprise Linux 6 Supplementary via RHSA-2019:1477. ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vulncheck4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xw96-xcrg-p8w2: Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75
ghsa_unreviewed·2022-05-24
CVE-2019-5840 [MEDIUM] CWE-362 GHSA-xw96-xcrg-p8w2: Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75
Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.3770.80 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
OSV
CVE-2019-5840: Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75
osv·2019-06-27·CVSS 4.3
CVE-2019-5840 [MEDIUM] CVE-2019-5840: Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75
Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.3770.80 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
VulnCheck
Google Chrome Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
vulncheck·2019·CVSS 4.3
CVE-2019-5840 [MEDIUM] Google Chrome Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Google Chrome Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.3770.80 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Affected: Google Chrome
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.confiant.com/hubfs/ScamClub-Threat-Report-Q1Q2-2023.pdf
Red Hat
chromium-browser: Popup blocker bypass
vendor_redhat·2019-06-04·CVSS 4.3
CVE-2019-5840 [MEDIUM] chromium-browser: Popup blocker bypass
chromium-browser: Popup blocker bypass
Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.3770.80 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Debian
CVE-2019-5840: chromium - Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.377...
vendor_debian·2019·CVSS 4.3
CVE-2019-5840 [MEDIUM] CVE-2019-5840: chromium - Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.377...
Incorrect security UI in popup blocker in Google Chrome on iOS prior to 75.0.3770.80 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 75.0.3770.80-1)
bullseye: resolved (fixed in 75.0.3770.80-1)
forky: resolved (fixed in 75.0.3770.80-1)
sid: resolved (fixed in 75.0.3770.80-1)
trixie: resolved (fixed in 75.0.3770.80-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-5840 chromium-browser: Popup blocker bypass
bugzilla·2019-06-07·CVSS 4.3
CVE-2019-5840 [MEDIUM] CVE-2019-5840 chromium-browser: Popup blocker bypass
CVE-2019-5840 chromium-browser: Popup blocker bypass
The following flaw was identified in the Chromium browser: Popup blocker bypass.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=951782
External References:
https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-7 [bug 1718272]
Affects: fedora-all [bug 1718271]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2019:1477 https://access.redhat.com/errata/RHSA-2019:1477
Bugzilla
CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5835 CVE-2019-5836 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840 chromium: various
bugzilla·2019-06-07·CVSS 8.8
CVE-2019-5828 [HIGH] CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5835 CVE-2019-5836 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840 chromium: various
CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5835 CVE-2019-5836 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840 chromium: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also ment
Bugzilla
CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5835 CVE-2019-5836 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840 chromium: various
bugzilla·2019-06-07·CVSS 8.8
CVE-2019-5828 [HIGH] CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5835 CVE-2019-5836 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840 chromium: various
CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5835 CVE-2019-5836 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840 chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please a
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.htmlhttps://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop.htmlhttps://crbug.com/951782https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CPM7VPE27DUNJLXM4F5PAAEFFWOEND6X/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKN4GPMBQ3SDXWB4HL45II5CZ7P2E4AI/https://seclists.org/bugtraq/2019/Aug/19https://security.gentoo.org/glsa/201908-18https://www.debian.org/security/2019/dsa-4500http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.htmlhttps://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop.htmlhttps://crbug.com/951782https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CPM7VPE27DUNJLXM4F5PAAEFFWOEND6X/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKN4GPMBQ3SDXWB4HL45II5CZ7P2E4AI/https://seclists.org/bugtraq/2019/Aug/19https://security.gentoo.org/glsa/201908-18https://www.debian.org/security/2019/dsa-4500
2019-06-27
Published
Exploited in the wild