CVE-2011-3881

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 15.0.874.102 Android versions prior to 4.4

Description The issue allows remote attackers to bypass the Same Origin Policy, enabling them to conduct Universal XSS (UXSS) attacks. This can be achieved through various vectors, including the use of the DOMWindow::clear function with a selection object, the Object::GetRealNamedPropertyInPrototypeChain function with an proto property, the HTMLPlugInImageElement::allowedToLoadFrameURL function with a javascript: URL, incorrect origins for XSLT-generated documents in the XSLTProcessor::createDocumentFromSource function, and improper handling of synchronous frame loads in the ScriptController::executeIfJavaScriptURL function.

Recommendations For Google Chrome versions prior to 15.0.874.102, update to version 15.0.874.102 or later to resolve the issue. For Android versions prior to 4.4, update to version 4.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of javascript: URLs and synchronous frame loads until a patch is available.