Google Chrome Loader Cross-Origin Data Leak Vulnerability

A vulnerability in the Loader component of Google Chrome prior to version 136.0.7103.113 allowed remote attackers to leak cross-origin data by using a specially crafted HTML page. This issue arose from insufficient policy enforcement, enabling the unauthorized data access.

Impact

Exploitation of this vulnerability could lead to unauthorized cross-origin data leakage, bypassing default referrer policies and potentially allowing for GET-based Cross-Site Request Forgery (CSRF) attacks, according to a Chromium issue discussion.

Reproduction

The vulnerability can be reproduced by loading an external image controlled by the attacker into a cross-origin subresource, such as an 'img' tag. This action triggers an additional request that leaks the referrer, which should remain origin-based by default. The issue can also be replicated with other subresource types, like CSS background images or font-face sources.

Remediation

Users can update to Google Chrome version 136.0.7103.113 or later, where this vulnerability has been fixed.