CVE-2024-0804 is a high-severity vulnerability identified in Google Chrome versions prior to 121.0.6167.85, specifically affecting the iOS Security UI component. The root cause is insufficient policy enforcement within the iOS Security UI, which allows a remote attacker to leak cross-origin data by crafting a malicious HTML page. This vulnerability falls under CWE-693, which relates to protection mechanism failures. The vulnerability does not require any user interaction or privileges to exploit, and it can be triggered remotely over the network (AV:N/AC:L/PR:N/UI:N). The impact is a high confidentiality breach (C:H), as attackers can access sensitive data from other origins without authorization, but it does not affect integrity or availability. The vulnerability is specific to the iOS version of Google Chrome, leveraging weaknesses in how security policies are enforced in the UI layer, potentially bypassing same-origin policy protections. Although no known exploits are currently reported in the wild, the CVSS score of 7.5 reflects a significant risk due to ease of exploitation and the sensitive nature of the data that can be leaked.

For European organizations, this vulnerability poses a substantial risk to confidentiality, especially for entities handling sensitive or regulated data such as financial institutions, healthcare providers, and government agencies. Since Chrome is widely used across Europe on iOS devices, the potential for data leakage across web origins could lead to exposure of personal data, intellectual property, or confidential communications. This could result in regulatory non-compliance under GDPR, reputational damage, and potential financial penalties. The vulnerability could be exploited in targeted phishing or watering hole attacks, where users are lured to malicious web pages designed to exfiltrate data. Given the lack of required user interaction, automated exploitation is plausible, increasing the threat surface. Organizations relying on Chrome on iOS for secure web applications should consider this vulnerability a priority for patching to prevent unauthorized data disclosure.

European organizations should immediately ensure that all iOS devices running Google Chrome are updated to version 121.0.6167.85 or later, where this vulnerability is fixed. Since no patch links are provided in the source, organizations should monitor official Google Chrome release channels for the update and deploy it promptly. In the interim, organizations can mitigate risk by restricting access to sensitive web applications from iOS Chrome browsers or implementing network-level controls such as web filtering to block access to untrusted or suspicious websites. Employing Content Security Policy (CSP) headers and other browser security features can help reduce the risk of cross-origin data leakage. Additionally, organizations should educate users about the risks of visiting untrusted websites and consider deploying Mobile Device Management (MDM) solutions to enforce browser update policies and monitor device compliance. Regular security assessments and monitoring for unusual data exfiltration patterns can help detect exploitation attempts.