CVE-2018-0612

Vulnerability

The Chrome Extension "5000 trillion yen converter" version 1.0.6 contains a cross-site scripting (XSS) vulnerability (CWE-79) [1]. The vulnerability allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. The extension is designed to replace occurrences of "5000 trillion yen" with an image on web pages, and the flaw likely arises from improper handling of user-controlled content during text replacement.

Exploitation

An attacker can exploit this vulnerability remotely without authentication [1]. The attack requires user interaction: the victim must be browsing a web page where the extension is active and the attacker has injected malicious content (e.g., via a crafted website or comment). The exact attack vector is not disclosed, but it likely involves the extension processing untrusted input from the page's DOM.

Impact

Successful exploitation allows an attacker to execute arbitrary script in the context of the user's browser session [1]. This can lead to information disclosure (e.g., cookies, session tokens), UI redressing, or other actions within the extension's permissions. The CVSS v3 score is 6.1 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [1].

Mitigation

The vulnerability is fixed in version 1.0.7 of the extension, released on June 8, 2018 [2]. Users should update the extension via the Chrome Web Store to the latest version. No workarounds are documented; the only mitigation is to apply the update [1].