CVE-2023-7011: 
Google Chrome vulnerability analysis and mitigation

A vulnerability in Google Chrome's Picture in Picture (PiP) feature prior to version 119.0.6045.105 allowed remote attackers to spoof the contents of the Omnibox (URL bar) through a crafted HTML page. The vulnerability was discovered by Axel Chong on July 3, 2023, and was assigned CVE-2023-7011 with a Medium severity rating (Chrome Release Notes).

The vulnerability existed in Chrome's Picture in Picture implementation where an attacker could use a long about:blank URL containing URL fragments to spoof the document PiP address. The issue received a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction needed (NVD).

If exploited, this vulnerability could allow attackers to spoof the URL displayed in the Picture in Picture window's Omnibox, potentially misleading users about the origin of the content they are viewing. This could be particularly dangerous in scenarios involving sensitive operations like payment processing (Chrome Issue).

Google addressed this vulnerability in Chrome version 119.0.6045.105. The fix involved changes to both renderer-side and browser-side implementations to prevent URL spoofing in Picture in Picture windows. Users should update to this version or later to receive the security fix (Chrome Release Notes).