PatchSiren cyber security CVE debrief

CVE-2017-5928 W3 CVE debrief

CVE-2017-5928 describes a timing side-channel in the W3C High Resolution Time API. The issue can make it easier for remote attackers to conduct AnC attacks from crafted JavaScript, even with a performance.now "Time to Tick" protection mechanism in place. NVD rates the issue LOW (CVSS 3.7).

Vendor: W3
Product: CVE-2017-5928
CVSS: LOW 3.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-27
Original CVE updated: 2026-05-13
Advisory published: 2017-02-27
Advisory updated: 2026-05-13

Who should care

Browser vendors, web platform and browser-security engineers, researchers working on timing attacks, and security teams that depend on browser-side timing mitigations or anti-fingerprinting controls.

Technical summary

The supplied NVD record and referenced research indicate that implementations of the High Resolution Time API in various web browsers still allow enough timing precision to measure memory-reference times using a performance.now "Time to Tick" approach. That weakens protections intended to reduce timing leakage and can help remote attackers run AnC attacks with crafted JavaScript. The provided corpus frames this as an API-level issue across browser implementations, not a single vendor-specific product flaw.

Defensive priority

Medium for browser and platform teams, low for most application operators. The disclosed impact is confidentiality-focused and the CVSS score is low, but the issue is relevant anywhere browser timing leakage matters.

Recommended defensive actions

Review browser and platform mitigations for high-resolution timing, including timer clamping and related anti-side-channel controls.
Use current browser builds and vendor guidance for timing-attack defenses; do not assume performance.now protections fully eliminate fine-grained timing leakage.
Track the referenced research and browser-security advisories for implementation-specific exposure and remediation guidance.
For sensitive web applications, minimize reliance on client-side secrecy and assume JavaScript timing can still reveal side-channel information.
Monitor NVD and browser-vendor updates for changes affecting the High Resolution Time API or related timing primitives.

Evidence notes

This debrief is based only on the supplied NVD record, CVE metadata, and the referenced research/project links in the corpus. The corpus describes an API-level browser timing issue and does not provide a single patched product, affected version list, or exploit instructions. CVSS and weakness data are taken from NVD.

Official resources

CVE-2017-5928 CVE record
CVE.org
CVE-2017-5928 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Technical Description
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory

CVE published on 2017-02-27T07:59:00.270Z; NVD last modified the record on 2026-05-13T00:24:29.033Z. The published date is the correct disclosure timing reference.