CVE-2011-3881
Description
WebKit, as used in Google Chrome before 15.0.874.102 and Android before 4.4, allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors related to (1) the DOMWindow::clear function and use of a selection object, (2) the Object::GetRealNamedPropertyInPrototypeChain function and use of an __proto__ property, (3) the HTMLPlugInImageElement::allowedToLoadFrameURL function and use of a javascript: URL, (4) incorrect origins for XSLT-generated documents in the XSLTProcessor::createDocumentFromSource function, and (5) improper handling of synchronous frame loads in the ScriptController::executeIfJavaScriptURL function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WebKit in Chrome <15.0.874.102 and Android <4.4 allows SOP bypass via multiple vectors, including JavaScript URLs in plugin elements.
Vulnerability
Multiple Same Origin Policy (SOP) bypass vulnerabilities exist in WebKit, as used in Google Chrome before version 15.0.874.102 and Android before version 4.4 (KitKat) [1]. One notable vector involves the HTMLPlugInImageElement::allowedToLoadFrameURL function, which fails to validate javascript: URLs when loading frame content for plugin elements (e.g., `) [2]. This allows an attacker to change the data attribute of a plugin element from a legitimate cross-origin URL to a javascript:` URL after the element has loaded, thereby executing arbitrary script in the context of the plugin's original origin [1]. The issue is present in WebKit code prior to the fix committed in [2].
Exploitation
An attacker can exploit this vulnerability without authentication by enticing a victim to visit a crafted web page [1]. The attack involves the following steps: create an ` element with a data attribute pointing to a cross-origin URL (e.g., http://www.bing.com), append it to the document, wait for it to load, then set the data attribute to a javascript: URL (e.g., javascript:alert(document.domain)) and set innerHTML` to trigger the navigation [1]. The browser then executes the JavaScript in the context of the plugin's original origin, bypassing the SOP [1].
Impact
Successful exploitation allows remote attackers to bypass the Same Origin Policy and conduct Universal Cross-Site Scripting (UXSS) attacks [1]. This means an attacker can execute arbitrary JavaScript in the context of any website, potentially stealing cookies, session tokens, or other sensitive data, and performing actions on behalf of the victim in a different origin [1]. The impact is limited to the web content realm; no system-level compromise is implied.
Mitigation
The vulnerability is fixed in Google Chrome version 15.0.874.102 and later [1]. For Android, the fix is included in Android 4.4 (KitKat) and later versions [1]. The specific code fix for the HTMLPlugInImageElement vector was committed as cherry-pick r96826 to the Android WebKit repository [2]. Users should update their browsers or devices to the latest available versions. No workaround is available for unpatched systems. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the `javascript:` scheme in `HTMLPlugInImageElement::allowedToLoadFrameURL` allows script execution in the context of a cross-origin frame."
Attack vector
An attacker hosts a page containing an `
Affected code
The vulnerability resides in the `HTMLPlugInImageElement::allowedToLoadFrameURL` function within WebKit. The function is responsible for deciding whether a plugin element may load a given frame URL, but it performs no validation of the `javascript:` scheme [ref_id=1].
What the fix does
The fix adds a security check inside `allowedToLoadFrameURL`: after constructing the complete URL, it tests whether the scheme is `javascript:` and, if so, whether the current document's security origin can access the content document's security origin. If the origins differ, the function returns `false`, blocking the cross-origin script execution [ref_id=1].
Preconditions
- configThe victim must use a browser based on WebKit prior to the fix (e.g., Android Browser < 4.4, Chrome < 15.0.874.102, or Safari 5.0).
- inputThe attacker must be able to serve arbitrary HTML/JavaScript to the victim (e.g., via a malicious website or injected content).
Reproduction
Create an HTML page with the following script: `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- code.google.com/p/chromium/issues/detailnvd
- code.google.com/p/chromium/issues/detailnvd
- code.google.com/p/chromium/issues/detailnvd
- code.google.com/p/chromium/issues/detailnvd
- code.google.com/p/chromium/issues/detailnvd
- googlechromereleases.blogspot.com/2011/10/chrome-stable-release.htmlnvd
- lists.apple.com/archives/security-announce/2012/Mar/msg00001.htmlnvd
- lists.apple.com/archives/security-announce/2012/Mar/msg00003.htmlnvd
- secunia.com/advisories/48288nvd
- secunia.com/advisories/48377nvd
- www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.htmlnvd
- www.securitytracker.com/idnvd
- android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117efnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/70959nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12940nvd
News mentions
0No linked articles in our index yet.