CVE-2016-5187
Publication date 17 October 2016
Last updated 25 August 2025
Ubuntu priority
Google Chrome prior to 54.0.2840.85 for Android incorrectly handled rapid transition into and out of full screen mode, which allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via crafted HTML pages.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| oxide-qt | ||
| 16.04 LTS xenial |
Fixed 1.18.3-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 1.18.3-0ubuntu0.14.04.1
|
|
| chromium-browser | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
Notes
chrisccoulson
This looks like it's in the TopControlsManager, used only in Chrome/Android. Oxide also makes use of this functionality
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3113-1
- Oxide vulnerabilities
- 2 November 2016