CVE-2017-5020 Google CVE debrief

Who should care

Browser security teams, endpoint defenders, Chrome administrators, and organizations that allow third-party Chrome extensions should pay attention, especially where older Chrome builds or weak extension governance may still exist.

Technical summary

The NVD record states that Chrome versions prior to 56.0.2924.76 on Linux, Windows, and Mac, and prior to 56.0.2924.87 on Android, did not properly require a user gesture for powerful download operations. That control gap could be chained with a malicious extension and a crafted HTML page to reach arbitrary code execution. NVD maps the weakness to CWE-79 and gives the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Defensive priority

Medium. The issue requires user interaction, but the impact can still be meaningful where outdated Chrome versions remain in use or extension installation is not tightly controlled.

Recommended defensive actions

• Upgrade Chrome to a version at or above 56.0.2924.76 on desktop platforms or 56.0.2924.87 on Android.
• Review and restrict browser extension installation policies, especially for untrusted or unmanaged extensions.
• Validate that endpoint management and auto-update policies are working so vulnerable Chrome versions do not persist.
• Monitor for users installing suspicious extensions and investigate any browser activity tied to unexpected downloads or script execution.
• Use the Chrome release notes and vendor guidance referenced in the CVE record to confirm remediation status across managed fleets.

Evidence notes

This debrief is based on the CVE description and NVD metadata supplied in the corpus. The CVE record and NVD both identify Google Chrome as affected, describe the user-gesture failure for powerful download operations, and list the relevant fixed version thresholds. NVD also supplies the CVSS vector, CWE mapping, and references to the Chrome stable channel update and Chromium issue tracker.

Official resources