Arch Linux Security Advisory ASA-201511-8 ========================================= Severity: Medium Date : 2015-11-13 CVE-ID : CVE-2015-1302 Package : chromium Type : information leakage Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package chromium before version 46.0.2490.86-1 is vulnerable to information leakage and cross-origin restriction bypass. Resolution ========== Upgrade to 46.0.2490.86-1. # pacman -Syu "chromium>=46.0.2490.86-1" The problem has been fixed upstream in version 46.0.2490.86. Workaround ========== None. Description =========== The PDF viewer does not properly restrict scripting messages and API exposure, which allows remote attackers to bypass the Same Origin Policy via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc. Impact ====== A remote attacker is able to bypass the cross-origin restriction via an unintended embedder or unintended plugin loading, related to pdf.js and out_of_process_instance.cc allowing unauthorized disclosure of information. References ========== https://access.redhat.com/security/cve/CVE-2015-1302 http://googlechromereleases.blogspot.fr/2015/11/stable-channel-update.html https://codereview.chromium.org/1316803003