Gal Weizman

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 143.0.7499.192 **Description** Insufficient policy enforcement in the `WebView` tag allows a remote attacker to inject scripts or HTML into privileged pages via a crafted Chrome extension. This issue can be exploited if a user is convinced to install a malicious extension. Specifically, the flaw allows extensions to intercept traffic and inject JavaScript into the Gemini AI side panel, which operates in a highly privileged context. This leads to privilege escalation, enabling the attacker to silently activate the webcam and microphone, capture screenshots, read local files, and inject fake messages into the Gemini interface. **Recommendations** Update Google Chrome to version 143.0.7499.192 or later. Restrict extension installation policies via enterprise policies or user education to prevent untrusted extensions from being added.

**Name of the Vulnerable Software and Affected Versions** Snyk Advisor versions prior to 28th March 2023 **Description** The issue concerns a stored XSS vulnerability. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor. **Recommendations** For versions prior to 28th March 2023, consider disabling the feature that displays the contents of a scanned package's Readme on its package health page until a patch is available. Restrict access to the package health page to minimize the risk of exploitation. Avoid using the Snyk Advisor website until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 84.0.4147.89 **Description** A policy bypass issue in the Content Security Policy (CSP) component of Google Chrome allowed a remote attacker to bypass content security policy via a crafted HTML page. The vulnerability is related to incorrect access control, which could allow a remote attacker to impact data integrity. It is estimated that almost every website in the world was at risk due to this issue. The vulnerability could potentially expose passwords in plain text through the user interface or in local files. **Recommendations** For Google Chrome versions prior to 84.0.4147.89, update to version 84.0.4147.89 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and avoiding the use of plain text passwords in local files until the update is applied.