CVE-2016-2845

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 49.0.2623.75 Opera versions prior to 49.0.2623.75

Description The Content Security Policy (CSP) implementation in Blink does not ignore a URL's path component in the case of a ServiceWorker fetch. This allows remote attackers to obtain sensitive information about visited web pages by reading CSP violation reports, related to FrameFetchContext.cpp and ResourceFetcher.cpp.

Recommendations For Google Chrome versions prior to 49.0.2623.75, update to version 49.0.2623.75 or later to resolve the issue. For Opera versions prior to 49.0.2623.75, update to version 49.0.2623.75 or later to resolve the issue. As a temporary workaround, consider restricting access to the FrameFetchContext.cpp and ResourceFetcher.cpp components until a patch is available.