PatchSiren cyber security CVE debrief
CVE-2017-5013 Google CVE debrief
CVE-2017-5013 is a Google Chrome vulnerability that could let a remote attacker spoof what users see in the Omnibox (URL bar) by abusing incorrect handling of new tab page navigations in non-selected tabs. The issue is user-interaction dependent and affects Chrome versions before the fixed release referenced by Google and NVD. Because the flaw can mislead users about the page they are viewing, it is primarily a browser integrity and trust issue rather than a code-execution issue.
- Vendor
- Product
- CVE-2017-5013
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-17
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-17
- Advisory updated
- 2026-05-13
Who should care
Anyone running affected Google Chrome versions, especially Linux users and enterprise administrators responsible for browser patching and managed desktop fleets. Security teams should prioritize this if they rely on Chrome for user-facing web access, authentication, or internal portal workflows where URL trust matters.
Technical summary
According to the NVD description, Chrome prior to the fixed release incorrectly handled new tab page navigations in non-selected tabs. A remote attacker could use a crafted HTML page to spoof the contents of the Omnibox, which is a user-interface integrity problem. NVD classifies the impact as network exploitable, low complexity, no privileges required, but requiring user interaction, with high integrity impact and no confidentiality or availability impact (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).
Defensive priority
Medium. The issue does not indicate code execution or data theft, but it can materially undermine user trust in the browser UI and can be used to mislead users into accepting a fake destination. Patch promptly on exposed desktops and managed endpoints.
Recommended defensive actions
- Update Google Chrome to a version at or above the fixed release referenced by the vendor advisory; do not remain on affected versions.
- For Linux fleets, confirm package managers and managed browser channels have applied the Chrome fix across all endpoints.
- Review browser patch compliance in enterprise environments, especially where users access sensitive portals or perform high-trust transactions in Chrome.
- Treat unexpected URL-bar or tab-UI behavior as a security signal and report it through normal browser security channels.
- Use vendor advisories and distribution security notices to validate that local packages include the Chrome fix.
Evidence notes
NVD describes the issue as Chrome incorrectly handling new tab page navigations in non-selected tabs, enabling Omnibox spoofing via a crafted HTML page. The CVSS vector provided by NVD is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, supporting a user-interaction-dependent UI spoofing impact. Google-linked references in the record include the Chrome stable channel update, Chromium issue 677716, and distribution advisories from Red Hat, Debian, and Gentoo, indicating broad patch availability. Note: the record also contains a version-range discrepancy between the textual description and the CPE range; this debrief preserves both as supplied without resolving the difference.
Official resources
Publicly disclosed on 2017-02-17. The supplied NVD record was modified on 2026-05-13; that later date reflects record maintenance, not the original vulnerability disclosure.