PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5007 Google CVE debrief

CVE-2017-5007 is a browser security issue in Blink used by Google Chrome. According to the CVE description, Chrome incorrectly handled the sequence of events when closing a page, which could let a remote attacker inject arbitrary scripts or HTML and achieve UXSS through a crafted HTML page. NVD rates it as medium severity (CVSS 6.1) with network exposure, no privileges required, but user interaction needed.

Vendor
Google
Product
CVE-2017-5007
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Organizations running Google Chrome on desktop or Android, especially endpoint teams, browser management teams, and users handling untrusted web content. Because this is a browser-side UXSS issue, it matters most where users may open attacker-controlled HTML or visit untrusted pages.

Technical summary

The NVD record classifies the weakness as CWE-79 and assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is described as an incorrect sequence-of-events handling bug in Blink during page close, which could allow script or HTML injection in the browser context. The CVE description names fixed Chrome versions as 56.0.2924.76 for Linux, Windows, and Mac, and 56.0.2924.87 for Android. NVD also includes a vulnerable CPE entry for Google Chrome up to 55.0.2883.87, so version mapping should be verified against vendor guidance.

Defensive priority

Medium priority. The flaw is externally reachable and can affect browser integrity and confidentiality, but it requires user interaction. Prioritize if your environment still has Chrome builds in the affected range or if users commonly open untrusted HTML.

Recommended defensive actions

  • Verify installed Chrome versions against the CVE description and vendor advisories, and update to the fixed releases named in the record.
  • Use centralized browser update management to ensure desktop and Android clients receive patched builds promptly.
  • Review exposure for users who regularly open downloaded HTML files, attacker-supplied links, or untrusted web content.
  • Monitor endpoint inventories for any Chrome installations that lag behind the patched versions referenced in the CVE.
  • Prefer standard browser hardening controls and limit unnecessary local HTML handling where practical.

Evidence notes

This debrief is based on the supplied NVD CVE metadata, the CVE description text, and the reference list included in the source corpus. The description explicitly mentions Blink, page-close event handling, arbitrary script/HTML injection, and UXSS. No exploit code or unsupported vendor-content claims were used. The reference list includes the Google Chrome stable-channel release note, crbug 671102, and downstream advisories from Red Hat, Debian, and Gentoo.

Official resources

Publicly disclosed on 2017-02-17, based on the CVE/NVD publishedAt timestamp supplied in the source corpus. The record was later modified on 2026-05-13, but that is not the disclosure date.