Chrome Universal XSS using an intercepted native function (CVE-2016-1672)

VULNERABILITY DETAILS

The fix for the issue 546677 is insufficient to protect against overriding the internal extensions code – it is still possible to take over the built-in extension system with a combination of getters and setters. This allows web content to gain access to native functions that may be misused, for example |user_gestures. RunWithUserGesture| can be leveraged to create new pages at an arbitrary javascript execution point, effectively bypassing ScopedPageLoadDeferrer.

VERSION

Chrome 48.0.2564.116 (Stable)
Chrome 49.0.2623.64 (Beta)
Chrome 50.0.2657.0 (Dev)
Chromium 50.0.2660.0 + Pepper Flash (Release build compiled today)

Attachment: CVE-2016-1672