Cross-domain policy bypass in Microsoft Edge - CVE-2017-0002
Published: January 10, 2017 / Updated: January 10, 2017
Vulnerability identifier: #VU4102
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2017-0002
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Microsoft Edge
Microsoft Edge
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to Microsoft Edge does not properly enforce cross-domain policies with about:blank. A remote attacker can create a specially crafted web page, trick the victim into visiting it and access information from one domain and inject it into another domain.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to potentially sensitive information and perform cross-site scripting or phishing attacks.
How to mitigate CVE-2017-0002
Install updates from Microsoft website.