CVE-2017-5018 Google CVE debrief

Who should care

Organizations and users running affected Google Chrome builds on Linux, Windows, Mac, or Android should care, especially where users may browse untrusted web content. Browser administrators should also care because the issue affects a privileged browser page and was addressed through Chrome release updates and downstream distro advisories.

Technical summary

NVD maps the weakness to CWE-79 and gives a CVSS v3.0 vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, user interaction required, and limited confidentiality/integrity impact with changed scope. The CVE description says the Chrome app launcher page had an insufficiently strict CSP, allowing script or HTML injection into a privileged page via crafted HTML. The description states fixes in Chrome 56.0.2924.76 for Linux, Windows, and Mac, and 56.0.2924.87 for Android. NVD’s CPE criteria also lists affected Chrome versions through 55.0.2883.87, which should be treated as part of the record rather than a separate claim of impact.

Defensive priority

Medium. The issue requires user interaction and does not indicate availability impact, but it affects a privileged page and can permit script or HTML injection, so patching should be prioritized for exposed or widely used browser fleets.

Recommended defensive actions

• Upgrade Google Chrome to a fixed release as indicated in the CVE description: 56.0.2924.76 or later on Linux, Windows, and Mac; 56.0.2924.87 or later on Android.
• Verify enterprise-managed browser versions across endpoints and enforce rapid update deployment for Chromium-based browsers.
• Review browser update channels and downstream vendor advisories referenced in the record to confirm all managed platforms have the patched build.
• Treat untrusted HTML/content delivery to users as a risk amplifier and reinforce user awareness around opening unknown web content until remediation is complete.

Evidence notes

This debrief is based on the supplied NVD CVE record, which identifies CWE-79 and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVE description states that Chrome’s app launcher page had an insufficiently strict content security policy, enabling script or HTML injection into a privileged page via a crafted HTML page. The record’s references include Google Chrome release notes, a Chromium bug entry, and downstream advisories from Red Hat, Debian, and Gentoo, supporting that the issue was publicly patched and tracked across multiple distributions. The supplied corpus also contains a version-range discrepancy: the textual CVE description names fixed versions at 56.0.2924.76/.87, while NVD’s CPE criteria lists affected Chrome versions through 55.0.2883.87.

Official resources