CVE-2015-6786

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 47.0.2526.73 Opera versions prior to 47.0.2526.73 (no specific version mentioned, but implied to be the same as Google Chrome)

Description The issue lies in the CSPSourceList::matches function within the Content Security Policy (CSP) implementation. This function accepts blob:, data:, or filesystem: URLs as a match for a * pattern. As a result, remote attackers can bypass intended scheme restrictions under certain circumstances by leveraging a policy that relies on this pattern.

Recommendations For Google Chrome versions prior to 47.0.2526.73, update to version 47.0.2526.73 or later to resolve the issue. For Opera, since the specific fixed version is not mentioned, it is recommended to update to the latest version available, ensuring it is at or later than the fixed version for Google Chrome, which is 47.0.2526.73. As a temporary workaround, consider restricting the use of the CSPSourceList::matches function until a patch is available.