The fix for the issue 546677 is insufficient to protect against overriding the internal extensions code – it is still possible to take over the built-in extension system with a combination of getters and setters. This allows web content to gain access to native functions that may be misused, for example |user_gestures. RunWithUserGesture| can be leveraged to create new pages at an arbitrary javascript execution point, effectively bypassing ScopedPageLoadDeferrer.
Chrome 48.0.2564.116 (Stable)
Chrome 49.0.2623.64 (Beta)
Chrome 50.0.2657.0 (Dev)
Chromium 50.0.2660.0 + Pepper Flash (Release build compiled today)
Attachment: CVE-2016-1672