Key Vulnerability Information Title: Security: Cursor hijacking mitigation bypass Type: Vulnerability Priority: P1 Severity: S2 Status: Fixed Reporter: ab...@microsoft.com Vulnerability Details Version: Chrome Version 83.0.4103.116 (Official Build) (64-bit), tested with the latest Canary version Operating System: Windows 10 Pro Reproduction Case Description: Host an HTML file in a directory and open (via HTTP, not FILE) to see a simulated attack using this method. - Minimal reproduction example (note how custom cursor overlays more UI): Background: - [Deprecated] Custom cursors larger than 32x32 DIP intersecting with native UI were deprecated in M75 and removed around June 2019. More details available in the linked resources. Related Links https://www.chromestatus.com/features/5825971391299584 https://bugs.chromium.org/p/chromium/issues/detail?id=640227 https://bugs.chromium.org/p/chromium/issues/detail?id=880863 https://benjaminbenben.com/cursor-y-hack/ https://jamesfisher.github.io/cursor-y-hack/ http://cr.kungfoo.net/style/cursor/abusive-cursor.html Additional Files - [View / Download] - [View / Download] - [View / Download]