Microsoft has refused to fix a security flaw that has been discovered by Cisco Talos researcher (Nicolai Grødum) in the Edge browser, Microsoft said that the issue is by design. However, Google and Apple fixed a similar issue in Chrome (CVE-2017-5033) and Safari (CVE-2017-2419), respectively.
According to Cisco Talos researcher:
“A specially crafted web page can cause a content security policy bypass resulting in an information leak. An attacker can create a malicious webpage to trigger this vulnerability. An attacker can bypass the Content-Security-Policy header that is used to make the browser protect against information leakage from a web site.”
Exploiting the flaw is slightly simple, an attacker only requires to load a new document using window.open(“”,”_blank”) and document.write-ing into it, (being in about:blank) an attacker can bypass the CSP (Content Security Policy) limitations put on the document that the original page’s Javascript code was running on and reach out to other sites. One could argue that the code was loaded with unsafe-inline in the CSP header, but that should still block any cross-site communication.
The bug exists in the most modern stable version of Microsoft’s Edge browser (40.15063), released in April this year. Microsoft told Cisco the way the browser’s Content Security Policy is set up is by design and there are no plans to patch the issue.
