WebKit contains a flaw in WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp within the JavaScript bindings. The issue is related to the window.open logic and allows a popped up window to confuse a top-level page into believing that the new window is a direct child. With a specially crafted web page, a context-dependent attacker may bypass the same origin policy.

Upgrade to Google Chrome version 18.0.1025.151 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1026892
• CVE ID: 2011-3072 (see also: NVD)
• Secunia Advisory ID: 48732 48749
• Bugtraq ID: 52913
• Related OSVDB ID: 81036 81037 81038 81039 81040 81041 81043 81044 81045 81046 81047
• Other Advisory URL: http://blog.chromium.org/2012/06/tale-of-two-pwnies-part-2.html
• Vendor Specific News/Changelog Entry: http://code.google.com/p/chromium/issues/detail?id=118467
  http://googlechromereleases.blogspot.com/2012/04/stable-and-beta-channel-updates.html
  http://www.gentoo.org/security/en/glsa/glsa-201204-03.xml
  https://bugs.webkit.org/show_bug.cgi?id=81260 [ Auth Req'd ]
• Vendor Specific Solution URL: http://trac.webkit.org/changeset/111098

• Sergey Glazunov