CVE-2021-30533
Published: 07 June 2021
Summary
CVE-2021-30533 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is insufficient policy enforcement in the PopupBlocker component of Google Chrome versions prior to 91.0.4472.77. It is tracked as CVE-2021-30533 with CWE-863 and carries a CVSS 3.1 score of 6.5. The flaw permits bypass of navigation restrictions when a crafted iframe is rendered.
A remote attacker can exploit the issue by serving malicious web content that loads the iframe in a victim's browser. Successful exploitation requires user interaction but allows the attacker to circumvent intended navigation controls, resulting in unauthorized integrity changes without affecting confidentiality or availability.
Chrome release notes and downstream advisories for Fedora and Gentoo indicate that the issue is resolved by updating to Chrome 91.0.4472.77 or later, with corresponding package updates published for affected Linux distributions. No information on in-the-wild exploitation is provided in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-17454
Vulnerability details
Insufficient policy enforcement in PopupBlocker in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass navigation restrictions via a crafted iframe.
- CWE(s)
- KEV Date Added
- 27 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access and navigation policies that the PopupBlocker failed to uphold against crafted iframes.
Enforces information-flow rules for cross-origin navigation that the flawed PopupBlocker component bypassed.
Requires prompt remediation of the identified Chrome flaw via update to 91.0.4472.77 or later.