CVE-2021-30533 Overview
CVE-2021-30533 is an authorization weakness [CWE-863] in the PopupBlocker component of Google Chrome prior to version 91.0.4472.77. The flaw stems from insufficient policy enforcement, allowing a remote attacker to bypass navigation restrictions through a crafted iframe. An attacker hosting a malicious page can redirect users to attacker-controlled destinations despite Chrome's popup and navigation protections. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild exploitation. The EPSS score sits at 10.532% with a 93rd percentile rating, reflecting elevated exploitation likelihood relative to the broader CVE population.
Critical Impact
Remote attackers can bypass Chrome's navigation restrictions via crafted iframes, redirecting victims to malicious sites and enabling phishing or drive-by download chains. The vulnerability is confirmed as exploited in the wild by CISA KEV.
Affected Products
- Google Chrome versions prior to 91.0.4472.77
- Fedora 33
- Fedora 34
Discovery Timeline
- 2021-06-07 - CVE-2021-30533 published to the National Vulnerability Database
- 2021-05-25 - Google releases Chrome stable channel update 91.0.4472.77
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2021-30533
Vulnerability Analysis
The vulnerability resides in Chrome's PopupBlocker, the component responsible for enforcing navigation and popup restrictions across browsing contexts. PopupBlocker fails to apply consistent policy checks when navigation requests originate from nested browsing contexts. An attacker can craft an iframe that issues a navigation request the browser would otherwise block at the top frame level. This bypass enables redirection to attacker-controlled URLs without user consent.
The weakness is classified as Incorrect Authorization [CWE-863]. Chrome's security model relies on PopupBlocker to gate cross-origin and untrusted navigation attempts. When that enforcement is incomplete, attackers gain a primitive useful for phishing, malvertising redirects, exploit kit landing pages, and tech support scams. Successful exploitation requires user interaction, such as visiting an attacker-controlled or compromised page.
Root Cause
The root cause is missing or incomplete authorization logic in PopupBlocker when evaluating navigation events sourced from iframe elements. Policy enforcement designed for top-level frames does not consistently extend to subframe-initiated navigations, leaving a gap attackers can trigger with standard HTML and JavaScript constructs.
Attack Vector
Exploitation occurs over the network. An attacker hosts a malicious or compromised page containing a crafted iframe. When a victim visits the page, the iframe triggers a navigation that PopupBlocker should block but does not. The browser navigates to the attacker-specified destination, which can host credential phishing forms, browser exploits, or social engineering content. No authentication is required, and the attack scales to any user visiting affected Chrome versions. Refer to the Chromium Bug Report for upstream technical details.
Detection Methods for CVE-2021-30533
Indicators of Compromise
- Unexpected navigations from embedded iframes to external domains, particularly to newly registered or low-reputation domains.
- Browser telemetry showing Chrome versions below 91.0.4472.77 accessing pages with anomalous iframe-driven redirects.
- Endpoint logs correlating Chrome process activity with downloads or credential submissions immediately following an iframe-sourced navigation.
Detection Strategies
- Inventory Chrome installations across the fleet and flag any build below 91.0.4472.77 for prioritized patching.
- Inspect web proxy and DNS logs for redirect chains originating from pages that host third-party iframes pointing to suspicious destinations.
- Correlate browser navigation events with subsequent process creation or file write activity to identify drive-by download attempts.
Monitoring Recommendations
- Enable browser version reporting through enterprise management consoles to maintain continuous visibility into Chrome patch state.
- Monitor outbound HTTP traffic for navigation patterns consistent with malvertising and phishing redirect chains.
- Alert on user interaction with phishing kits or exploit kit landing pages downstream of iframe redirects.
How to Mitigate CVE-2021-30533
Immediate Actions Required
- Update Google Chrome to version 91.0.4472.77 or later on all endpoints immediately.
- Apply Fedora package updates for Fedora 33 and Fedora 34 as published in the Fedora security advisories.
- Prioritize remediation given CISA KEV listing and the elevated EPSS percentile indicating active exploitation interest.
Patch Information
Google addressed the vulnerability in the Chrome stable channel release 91.0.4472.77. See the Google Chrome Update Announcement for the full release notes. Fedora users should consult the Fedora Package Announcement and Gentoo users should reference the Gentoo GLSA Advisory 202107-06.
Workarounds
- Enforce browser auto-update policies through enterprise management to eliminate stale Chrome versions.
- Deploy web filtering to block known phishing, malvertising, and exploit kit infrastructure that abuses iframe redirect chains.
- Restrict third-party iframe embedding on internal web properties using Content-Security-Policy directives such as frame-ancestors and frame-src.
# Example Content-Security-Policy header restricting iframe sources
Content-Security-Policy: frame-src 'self' https://trusted.example.com; frame-ancestors 'self'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
