CVE-2016-1636

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 49.0.2623.75 Opera versions prior to 49.0.2623.75

Description The issue is related to the PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp, which relies on memory-cache information about integrity-check occurrences instead of integrity-check successes. This allows remote attackers to bypass the Subresource Integrity (SRI) protection mechanism by triggering two loads of the same resource.

Recommendations For Google Chrome versions prior to 49.0.2623.75, update to version 49.0.2623.75 or later to resolve the issue. For Opera versions prior to 49.0.2623.75, update to a version that includes the fix for this issue, as the exact version is not specified. As a temporary workaround, consider restricting access to the PendingScript::notifyFinished function until a patch is available.