Cyber Resilience

CVE-2021-30533

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 07 June 2021

Published
07 June 2021
Modified
24 October 2025
KEV Added
27 June 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.1671 95.1th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30533 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is insufficient policy enforcement in the PopupBlocker component of Google Chrome versions prior to 91.0.4472.77. It is tracked as CVE-2021-30533 with CWE-863 and carries a CVSS 3.1 score of 6.5. The flaw permits bypass of navigation restrictions when a crafted iframe is rendered.

A remote attacker can exploit the issue by serving malicious web content that loads the iframe in a victim's browser. Successful exploitation requires user interaction but allows the attacker to circumvent intended navigation controls, resulting in unauthorized integrity changes without affecting confidentiality or availability.

Chrome release notes and downstream advisories for Fedora and Gentoo indicate that the issue is resolved by updating to Chrome 91.0.4472.77 or later, with corresponding package updates published for affected Linux distributions. No information on in-the-wild exploitation is provided in the references.

EU & UK References

Vulnerability details

Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe.

CWE(s)
KEV Date Added
27 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 91.0.4472.77
fedoraproject
fedora
33, 34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access and navigation policies that the PopupBlocker failed to uphold against crafted iframes.

prevent

Enforces information-flow rules for cross-origin navigation that the flawed PopupBlocker component bypassed.

prevent

Requires prompt remediation of the identified Chrome flaw via update to 91.0.4472.77 or later.

References