CVE-2021-30533
published 2021-06-07CVE-2021-30533: Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a…
PriorityP279medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-07-18
Exploited in the wild
EPSS
16.61%
96.6th percentile
Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| chromium | chromium | >= 0 < 93.0.4577.82-1 | 93.0.4577.82-1 |
| debian | chromium | < chromium 93.0.4577.82-1 (bookworm) | chromium 93.0.4577.82-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 91.0.4472.77 | 91.0.4472.77 | |
| chrome | >= unspecified < 91.0.4472.77 | 91.0.4472.77 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in Google Chrome versions prior to 91.0.4472.77; detect unpatched Chrome installations below this version ↗
- →Attack vector is a crafted iframe used to bypass PopupBlocker navigation restrictions; monitor for suspicious cross-origin iframe navigation attempts triggering popup/redirect behavior ↗
- →Multiple Chromium-based browsers are affected beyond Chrome, including Microsoft Edge and Opera; broaden detection scope to all Chromium-based browser versions below the fixed Chromium build ↗
- ·Debian-based Linux distributions require chromium package version 93.0.4577.82-1 or later to be fully remediated, which is a later version than the upstream Chrome fix (91.0.4472.77) ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.5MEDIUM
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-83cg-29pr-h246: Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91
ghsa_unreviewed·2022-05-24
CVE-2021-30533 [MEDIUM] CWE-863 GHSA-83cg-29pr-h246: Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91
Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe.
OSV
CVE-2021-30533: Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91
osv·2021-06-07·CVSS 6.5
CVE-2021-30533 [MEDIUM] CVE-2021-30533: Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91
Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe.
VulnCheck
Google Chromium PopupBlocker Security Bypass Vulnerability
vulncheck·2021·CVSS 6.5
CVE-2021-30533 [MEDIUM] CWE-863 Google Chromium PopupBlocker Security Bypass Vulnerability
Google Chromium PopupBlocker Security Bypass Vulnerability
Google Chromium PopupBlocker contains an insufficient policy enforcement vulnerability that allows a remote attacker to bypass navigation restrictions via a crafted iframe. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium PopupBlocker
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blog.confiant.com/malvertising-threat-actor-yosec-exploits-browser-bugs-to-push-malware-cve-2021-1765-3040dd3c4af1; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-07-18
CISA
Google Chromium PopupBlocker Security Bypass Vulnerability
cisa·2022-06-27·CVSS 6.5
CVE-2021-30533 [MEDIUM] CWE-863 Google Chromium PopupBlocker Security Bypass Vulnerability
Vulnerability: Google Chromium PopupBlocker Security Bypass Vulnerability
Affected: Google Chromium PopupBlocker
Google Chromium PopupBlocker contains an insufficient policy enforcement vulnerability that allows a remote attacker to bypass navigation restrictions via a crafted iframe. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-30533
Remediation Due Date: 2022-07-18
Chrome
Stable Channel Update for Desktop: CVE-2021-30532
vendor_chrome·2021-05-25·CVSS 4.3
CVE-2021-30532 [MEDIUM] Stable Channel Update for Desktop: CVE-2021-30532
Stable Channel Update for Desktop
CVE-2021-30532: Insufficient policy enforcement in Content Security Policy. Reported by Philip Papurt on 2020-08-18 [$5000][ 1145553 ] Medium CVE-2021-30533: Insufficient policy enforcement in PopupBlocker
Reported by Eliya Stein on 2020-11-04 [$3000][ 1151507 ] Medium CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox
Severity: medium
Microsoft
Chromium: CVE-2021-30533 Insufficient policy enforcement in PopupBlocker
vendor_msrc·2021-05-11·CVSS 6.5
CVE-2021-30533 [MEDIUM] Chromium: CVE-2021-30533 Insufficient policy enforcement in PopupBlocker
Chromium: CVE-2021-30533 Insufficient policy enforcement in PopupBlocker
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
91.0.864.37
5/27/2021
91.0.4472.77
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of
Debian
CVE-2021-30533: chromium - Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4...
vendor_debian·2021·CVSS 6.5
CVE-2021-30533 [MEDIUM] CVE-2021-30533: chromium - Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4...
Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe.
Scope: local
bookworm: resolved (fixed in 93.0.4577.82-1)
bullseye: resolved (fixed in 93.0.4577.82-1)
forky: resolved (fixed in 93.0.4577.82-1)
sid: resolved (fixed in 93.0.4577.82-1)
trixie: resolved (fixed in 93.0.4577.82-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.htmlhttps://crbug.com/1145553https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/https://security.gentoo.org/glsa/202107-06https://chromereleases.googleblog.com/2021/05/stable-channel-update-for-desktop_25.htmlhttps://crbug.com/1145553https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETMZL6IHCTCTREEL434BQ4THQ7EOHJ43/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAT6EOXVQFE6JFMFQF4IKAOUQSHMHL54/https://security.gentoo.org/glsa/202107-06https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-30533
2021-06-07
Published
2022-06-27
Added to CISA KEV
Exploited in the wild