CVE-2023-0130: 
vulnerability analysis and mitigation

A vulnerability in the Fullscreen API implementation of Google Chrome on Android (versions prior to 109.0.5414.74) was discovered on September 30, 2022. The vulnerability, identified as CVE-2023-0130, allowed remote attackers to spoof the contents of the Omnibox (URL bar) through a specially crafted HTML page. Google classified this vulnerability with a Medium security severity rating (Chrome Release, NVD).

The vulnerability stems from an inappropriate implementation in the Fullscreen API of Google Chrome's Android version. The issue was reported by a security researcher named Hafiizh and was assigned a bounty of $5000, indicating its significant impact on browser security. The fix was included in Chrome version 109.0.5414.74 (Chrome Release).

The vulnerability enabled attackers to perform URL bar spoofing attacks through crafted HTML pages. This could potentially lead to convincing phishing attacks where users might be tricked into believing they are on a legitimate website when they are actually on a malicious one (NVD).

Google addressed this vulnerability in Chrome version 109.0.5414.74 for Android. Users and organizations are advised to update to this version or later to protect against potential exploitation. The fix was also incorporated into various downstream projects and distributions, including Debian and Gentoo (Gentoo Advisory).