CVE-2022-32269: 
RealPlayer vulnerability analysis and mitigation

In Real Player 20.0.8.310, a remote code execution vulnerability exists in the G2 Control component that allows injection of unsafe javascript: URIs in local HTTP error pages displayed by Internet Explorer core (NVD, GitHub POC).

The vulnerability exists because the G2 Control component allows 'javascript:' URIs to be passed as arguments to the DoGoToURL() function. By setting the 'URL' parameter to a javascript: URI and the 'target' parameter to an iframe element, an attacker can execute JavaScript code in the context of a local error page (res://ieframe.dll/navcancl.htm) that appears after navigating to an invalid URI. This page runs in the 'My computer' security zone of Internet Explorer which allows reading local files and code execution by design (GitHub POC). The vulnerability has a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

A successful exploit could allow an attacker to execute arbitrary code in the context of the current user. The proof-of-concept demonstrates planting an HTA file in the user's startup folder, which can contain code to download or execute embedded malware (GitHub POC).

The vulnerability can be mitigated by prohibiting the 'javascript:' URI in the G2 Control component (GitHub POC).