Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively.
Exploiting the flaw is somewhat simple — at least for people with background in web development. An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.
The researcher found the flaw last year in November. The issue has a CVSS severity score of 4.3 out of 10.
Summarizing, Edge users are still vulnerable to this flaw, while users employing Google Chrome 57.0.2987.98, iOS 10.3, and Safari 10.1 or later are all protected. Firefox is not affected.