In the Chrome version of the popular Evernote Web Clipper browser extension for easy online content storage, a bug in the code of all versions up to and including 7.11.1 allowed cross-site scripting (XSS) attacks to be performed across domains collect confidential user information. The research team of the security software manufacturer Guardio, which discovered the bug, describes the resulting vulnerability as critical. If an attacker succeeds in luring the Chrome Extension user to a specially crafted website, he could use it to leverage Chrome’s Site Isolation to gain access to user data from any third-party Web site – e.g. Cookies, access data or other stored information. In the worst case, an attacker could, for example, spend himself on social networks as the user in question and read or add content.
Guardio praises the quick action of Evernote: The research team had informed the publisher of the extension on 27 May about the vulnerability. Already on 31 May followed the release of the safe version 7.11.1. According to Guardio, the update was automatically distributed to the (according to Chrome Store over 4.6 million) users of the extension. Nevertheless, it is advisable to manually check the installed version by
chrome: // extensions / id = pioclpoplcdbaefihamjohnefbikjilc?
into the address bar of the Chrome browser. Version 7.1.11 (and higher) reliably prevents attacks on the vulnerability with the CVE-2019-12592 identifier.