Both unpatched vulnerabilities—one of which affects the latest version on Microsoft Internet Explorer and another affects the latest Edge Browser—allow a remote attacker to bypass same-origin policy on web browser.
Same Origin Policy (SOP) is a security feature implemented in modern browsers that restricts a web-page or a script loaded from one origin to interact with a resource from another origin, preventing unrelated sites from interfering with each other.
If you visit a website on your web browser, it can only request data from the same origin [domain] the site was loaded from, preventing it from making any unauthorized request on your behalf in order to steal your data.
The vulnerabilities discovered by security researcher James Lee, who shared the details with Hack Hex, could allow a malicious website to perform universal cross-site scripting (UXSS) attacks against any domain visited using the vulnerable Microsoft’s web browsers.
All you need to do is convince a victim into opening the malicious website, eventually allowing to steal victim’s sensitive data, like login session and cookies, from other sites visited on the same browser.
“The issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection,” Lee told The Hacker News in an email.
The researcher contacted Microsoft and responsibly shared his finding with the company ten months ago, that’s almost a year, but the tech giant ignored the issues and did not respond to the disclosure till the date, leaving both the flaws unpatched.
Lee has now released proof-of-concept (PoCs) exploits for both issues.