Work around for "Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability"
CVE: CVE-2007-0048, CVE-2007-0045
Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.
Credit: Thanks to Michael Schmidt for reporting this responsibly to Google.
Javascript Same-Origin Bypass
CVE: CVE-2009-0276
A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.
Credit: Found internally by Google.
