CVE-2023-4078: 
vulnerability analysis and mitigation

A medium severity vulnerability (CVE-2023-4078) was identified in Google Chrome versions prior to 115.0.5790.170. The vulnerability involves an inappropriate implementation in Extensions that could allow an attacker to inject scripts or HTML into a privileged page through a crafted Chrome Extension, but only after convincing a user to install a malicious extension (Chrome Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue specifically relates to the Extensions component of Chrome, where improper implementation could allow script and HTML injection into privileged pages (NVD).

If successfully exploited, this vulnerability could lead to script and HTML injection into privileged pages, potentially compromising the security of the browser and exposing sensitive information. The attack requires user interaction in the form of installing a malicious extension (NVD).

The vulnerability has been patched in Chrome version 115.0.5790.170. Users are advised to update to this version or later. The fix has been distributed to various distributions including Debian, Fedora, and Gentoo (Debian Advisory, Gentoo Advisory).

The vulnerability was reported by Derin Eryilmaz on 2023-07-04 and was awarded a $1000 bug bounty by Google's Chrome team (Chrome Release).