A new vulnerability discovered by researchers allows attackers to bypass Content Security Policy protections and steal data from website visitors. The vulnerability lies in Google’s Chromium-based browsers versions 73 through 83 and has since been patched by Chrome in version 84, which was released in July. Through leveraging the vulnerability, attackers could potentially execute rogue code as well.
CVE-2020-6519, the bug in question, is found in Chrome, Opera, and Edge on Windows, Mac, and Android devices, affecting billions of users. CSP is a web policy standard that mitigates the risks posed by certain attacks such as cross-site scripting and data injection. CSP also allows web admins to dictate the domains that a browser considers valid sources of an executable script, however, the flaw allows attackers to bypass these preventative functions.
Read More: Google Chrome Browser Bug Exposes Billions of Users to Data Theft