Alison Huffman

**Name of the Vulnerable Software and Affected Versions** Google Chrome on Android versions prior to 90.0.4430.212 **Description** The issue is related to an inappropriate implementation in the offline mode of Google Chrome, allowing a remote attacker who has compromised the renderer process to bypass site isolation. This can be achieved via a crafted HTML page. The vulnerability is also related to the inclusion of features from an untrusted controlled area, which can be exploited by a remote attacker to bypass existing security restrictions using a specially crafted HTML page. **Recommendations** For Google Chrome on Android versions prior to 90.0.4430.212, update to version 90.0.4430.212 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: iOS versions prior to 14.4.1 iPadOS versions prior to 14.4.1 Safari versions prior to 14.0.3 watchOS versions prior to 7.3.2 macOS Big Sur versions prior to 11.2.3 Description: A memory corruption issue was addressed with improved validation. Processing maliciously crafted web content may lead to arbitrary code execution. The issue is related to insufficient input validation in the WebKit module used by the Safari browser, which could allow a remote attacker to execute arbitrary code using a specially crafted malicious web page. Recommendations: For iOS versions prior to 14.4.1, update to iOS 14.4.1 or later. For iPadOS versions prior to 14.4.1, update to iPadOS 14.4.1 or later. For Safari versions prior to 14.0.3, update to Safari 14.0.3 or later. For watchOS versions prior to 7.3.2, update to watchOS 7.3.2 or later. For macOS Big Sur versions prior to 11.2.3, update to macOS Big Sur 11.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 89.0.4389.72 **Description** The issue is related to insufficient data validation in Reader Mode, allowing a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server. This can lead to unauthorized access to protected information. **Recommendations** For versions prior to 89.0.4389.72, update to version 89.0.4389.72 or later to resolve the issue. As a temporary workaround, consider disabling Reader Mode until a patch is available. Restrict access to potentially malicious servers and crafted HTML pages to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 89.0.4389.72 Description: A data race in the audio component of Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This issue is related to a use-after-free vulnerability, which could allow an attacker to execute arbitrary code. The vulnerability has been reportedly exploited in real-world attacks. Recommendations: For Google Chrome versions prior to 89.0.4389.72, update to version 89.0.4389.72 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable audio components until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 89.0.4389.72 Description: The issue is related to a data race in the audio component of Google Chrome, which can be exploited by a remote attacker to potentially cause heap corruption via a crafted HTML page. This could allow the attacker to gain unauthorized access to protected information. Recommendations: For versions prior to 89.0.4389.72, update to version 89.0.4389.72 or later to resolve the issue. As a temporary workaround, consider restricting access to audio components in Google Chrome until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 88.0.4324.146 **Description** The issue is related to a use after free in the Navigation component of Google Chrome, which could allow a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. This could impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to 88.0.4324.146, update to version 88.0.4324.146 or later to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable Navigation components until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 90.0.4430.72 Microsoft Edge (affected versions not specified) **Description** The issue is related to insufficient policy enforcement in navigation, allowing a remote attacker to bypass security restrictions via a crafted HTML page. This can be exploited by a remote attacker to bypass existing security restrictions. **Recommendations** For Google Chrome versions prior to 90.0.4430.72, update to version 90.0.4430.72 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 87.0.4280.141 **Description** The issue is related to a heap buffer overflow in the audio component, which can be exploited by a remote attacker using a crafted HTML page, potentially leading to heap corruption and impacting the confidentiality, integrity, and availability of protected information. **Recommendations** For Google Chrome versions prior to 87.0.4280.141, update to version 87.0.4280.141 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 86.0.4240.75 **Description** The issue is related to insufficient policy enforcement in the networking component of Google Chrome, which can be exploited by a remote attacker who has compromised the renderer process. This can allow the attacker to bypass the same origin policy via a crafted HTML page. The estimated number of potentially affected devices is not specified. **Recommendations** For versions prior to 86.0.4240.75, update to version 86.0.4240.75 or later to resolve the issue. As a temporary workaround, consider restricting access to crafted HTML pages to minimize the risk of exploitation.