PatchSiren cyber security CVE debrief
CVE-2017-5010 Google CVE debrief
CVE-2017-5010 is a Google Chrome Blink issue that could allow a remote attacker to inject arbitrary scripts or HTML (UXSS) when a user visits a crafted HTML page. The supplied record places the impact in Chrome versions before 56.0.2924.76 on Linux, Windows, and Mac, and before 56.0.2924.87 on Android. Because exploitation requires user interaction and affects browser trust boundaries rather than availability, the issue is scored as medium severity, but it still warrants prompt patching in managed browser fleets.
- Vendor
- Product
- CVE-2017-5010
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-17
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-17
- Advisory updated
- 2026-05-13
Who should care
Security teams and IT administrators managing Google Chrome on desktop or Android should care, especially where users routinely browse untrusted content or where browser versions may lag behind vendor updates. Web-facing environments, enterprise fleets, and teams responsible for endpoint patch compliance should verify that affected Chrome builds are no longer in use.
Technical summary
The NVD record describes a Blink flaw in which resolved promises were handled in an inappropriate context, allowing a remote attacker to inject arbitrary script or HTML and achieve UXSS via a crafted HTML page. NVD maps the weakness to CWE-79 and assigns the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network-based exploitation with required user interaction and scope change.
Defensive priority
Medium. Prioritize remediation in browser fleets because the issue can undermine same-origin protections and enable script or HTML injection after a user opens a malicious page, even though it does not impact availability.
Recommended defensive actions
- Upgrade Google Chrome to a fixed release at or above 56.0.2924.76 on Linux, Windows, and Mac, and at or above 56.0.2924.87 on Android.
- Inventory all managed endpoints and browser channels to confirm no affected Chrome versions remain deployed.
- Treat untrusted web content as higher risk until patch compliance is verified, and consider restricting unsupported browser versions from accessing sensitive internal resources.
- Use the linked Chrome release note and NVD record to validate remediation status during change control and vulnerability reporting.
- Track related browser security advisories and confirm that enterprise update mechanisms are functioning as expected.
Evidence notes
The supplied NVD record identifies Google Chrome as the affected product via the cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* criteria and lists the vulnerability as affecting versions through 55.0.2883.87 in the record data. The record also provides the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79. Reference URLs in the source corpus include the Chrome Stable Channel update, crbug 663476, and multiple vendor/security advisories that corroborate remediation timing.
Official resources
The CVE was published on 2017-02-17. The supplied NVD record was modified on 2026-05-13, which should be treated as record maintenance rather than the original vulnerability date. No CISA KEV entry is present in the supplied data.