Today Google launched version 61 of the Chrome browser for Windows, Mac, and Linux. With this release, we have 21 security updates, numerous improvements and bug fixes, and three APIs that allow developers to further enhance their sites and apps.
Sites can now access the relative positions of the screen content with the Visual Viewport API, exposing complex functionality like pinch-and-zoom in a more direct way.
The Device RAM API is now available, exposing the amount of RAM on a user’s device to sites to optimize overall performance of a web application.
When navigating from an installed web app to a site outside the initial web app’s scope, the new site now automatically loads in a Custom Chrome Tab.
For video using native controls, Chrome will now automatically expand video to fullscreen when a user rotates their device in an orientation that matches a video playing on the screen.
To prevent the use of mis-issued certificates from going unnoticed, sites can use the new Expect-CT HTTP header which will enable automated reporting and/or enforcement of Certificate Transparency requirements.
Chrome will no longer decode frames for videos using Media Source in background tabs.
Sites can now use the Clear-Site-Data header to delete their own client-side data, such as cookies, service workers, storage, and cache entries.
To increase security, resources with URLs containing both \n and < characters will now be blocked.
To increase consistency across on attributes, onwheel attributes have been moved from Element to Window, Document, HTMLElement, and SVGElement.
To better follow spec and provide more granular control over the flow of referred content, Chrome now supports three new Referrer Policy values, same-origin, strict-origin, and strict-origin-when-cross-origin.
Following the change in spec, the maximum value for colSpan has been decreased from 8190 to 1000.
This release of Chrome 61 also includes 21 security updates. Those fixes that were contributed by external researchers and their bounty are:
|Bounty||Internal Ticket ID||Severity||CVE||Description||Discovered By|
|$5,000||737023||High||CVE-2017-5111||Use after free in PDFium.||Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-06-27|
|$5,000||740603||High||CVE-2017-5112||Heap buffer overflow in WebGL.||Tobias Klein (www.trapkit.de) on 2017-07-10|
|$5,000||747043||High||CVE-2017-5113||Heap buffer overflow in Skia.||Anonymous on 2017-07-20|
|$3,500||752829||High||CVE-2017-5114||Memory lifecycle issue in PDFium.||Ke Liu of Tencent's Xuanwu LAB on 2017-08-07|
|$3,000||744584||High||CVE-2017-5115||Type confusion in V8.||Marco Giovannini on 2017-07-17|
|TBD||759624||High||CVE-2017-5116||Type confusion in V8.||Anonymous on 2017-08-28|
|$1,000||739190||Medium||CVE-2017-5117||Use of uninitialized value in Skia.||Tobias Klein (www.trapkit.de) on 2017-07-04|
|$1,000||747847||Medium||CVE-2017-5118||Bypass of Content Security Policy in Blink.||WenXu Wu of Tencent's Xuanwu Lab on 2017-07-24|
|N/A||725127||Medium||CVE-2017-5119||Use of uninitialized value in Skia.||Anonymous on 2017-05-22|
|N/A||718676||Low||CVE-2017-5120||Potential HTTPS downgrade during redirect navigation.||Xiaoyin Liu (@general_nfs) on 2017-05-05|