CVE-2016-1630

Vulnerability

ContainerNode::parserRemoveChild in WebKit/Source/core/dom/ContainerNode.cpp (Blink engine) failed to defer widget updates during the removal of a node. This occurred in Google Chrome versions before 49.0.2623.75 and affected Oxide (used in Ubuntu) as well [2]. The code path is reachable when a crafted website triggers DOM manipulation through the parser [1].

Exploitation

An attacker needs no special authentication or network position other than to host a malicious website. The attacker must trick a user into visiting that site. The vulnerability is triggered during parser-inserted node removals where parserRemoveChild is called without deferring widget updates, potentially allowing script execution at an unintended point during the DOM operation [1].

Impact

Successful exploitation allows a remote attacker to bypass the Same Origin Policy, potentially gaining access to cross-origin data or executing unauthorized actions in the context of other sites [2][3]. This could lead to information disclosure or further compromise of the user's browser session.

Mitigation

Google Chrome 49.0.2623.75 includes the fix, which defers widget updates using a RAII guard in parserRemoveChild [1]. Ubuntu users should update to Oxide packages that address this CVE (USN-2920-1) [2]. Gentoo users should upgrade to Chromium >=49.0.2623.87 [3]. No workaround is available if patching is not possible [3].