关键漏洞信息 Title: Security: Cross-origin pixel reading and history sniffing via SVG filter timing attack Type: Vulnerability Priority: P2 Severity: S3 Status: Fixed Affect Versions: Chrome Version at least 54 to 57.02987.8 Operating Systems: Ubuntu Linux 16.10, Windows 10, OSX 10.11.6 Details: The vulnerability allows for cross-origin pixel reading and history sniffing through a timing attack on SVG filters, specifically FeConvolveMatrix. The attack manipulates timing differences in SVG filter processing to extract pixel values from iframed origins. The proof of concept (PoC) demonstrates reconstructing a 48x48 px region from a target origin into a canvas. The vulnerability leverages GPU acceleration of SVG filters, and is not limited to specific devices but impacts systems with GPU acceleration. Timing differences due to the disabled FTZ and DAZ FPU flags in Skia when rendering GPU-pipeline forced elements creates the exploit window. Reproduction Case: A PoC file named attached. Consequences: Unauthorized cross-origin pixel data access can violate user privacy and security, with potential for history tracking and related exploits.