CVE-2022-0116: 
vulnerability analysis and mitigation

CVE-2022-0116 is a security vulnerability identified in Google Chrome versions prior to 97.0.4692.71, discovered on November 20, 2021 by Irvan Kurniawan (sourc7). The vulnerability stems from an inappropriate implementation in the Compositing component that allowed remote attackers to spoof the contents of the Omnibox (URL bar) through a crafted HTML page (Chrome Release, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with no impact on confidentiality, low impact on integrity, and no impact on availability (NVD).

The vulnerability allows an attacker to spoof the contents of the Omnibox (URL bar) in Google Chrome through a specially crafted HTML page. This could potentially lead to users being misled about the website they are visiting, creating opportunities for phishing attacks (Chrome Release).

Google addressed this vulnerability in Chrome version 97.0.4692.71. Users and administrators are advised to update to this version or later to mitigate the risk. The fix was also incorporated into Fedora's chromium packages for versions 34, 35, and 36 (Fedora Update).