What is the Chromium PopupBlocker?
Chromium's popup blocker is a security and user experience feature that prevents web pages from opening new browser windows or navigating cross-origin without an explicit user gesture (such as a click or key press). The popup blocker enforces navigation restrictions — a page in an iframe cannot force the top-level window to navigate to a different origin without user interaction. This policy prevents drive-by attacks where a malicious ad or embedded content hijacks the user's browser navigation. When popup blocking policy is incorrectly enforced (CWE-863: Incorrect Authorization), a crafted iframe can bypass the restriction and force unexpected navigation, potentially redirecting users to phishing pages, triggering malicious downloads, or bypassing click-to-navigate requirements for security-sensitive operations.
Overview
CVE-2021-30533 is an insufficient policy enforcement vulnerability (CWE-863) in the Chromium popup blocker. A remote attacker can craft an iframe that bypasses Chromium's navigation restrictions, forcing the browser to navigate to attacker-controlled URLs without requiring a legitimate user gesture. The high Integrity (I:H) impact reflects that the attacker can override the browser's navigation controls — directing the user to a page of the attacker's choosing. Fixed in Chrome 91.0.4472.77 (May 25, 2021). CISA added it to KEV in June 2022, a year after the patch, indicating persistence of unpatched deployments.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Google Chrome before 91.0.4472.77 | Yes | 91.0.4472.77 |
| Microsoft Edge (Chromium-based) before equivalent version | Yes | Apply corresponding Edge update |
| Other Chromium-based browsers | Yes | Apply vendor-specific Chromium 91 equivalent update |
Technical Details
- Root cause: Insufficient policy enforcement (CWE-863) in the popup blocker's navigation permission check — a crafted iframe can trigger navigation in a way that bypasses the check that would normally require a user gesture; the bypass may involve specific iframe sandboxing configurations, navigation event sequences, or URL schemes that the popup policy check does not properly handle
- Navigation hijacking: The practical exploitation path redirects the user's browser (or a specific frame) to an attacker-controlled URL; this can be chained with phishing pages (credential theft), drive-by download sites, or other malicious destinations that the user would not have navigated to intentionally
- I:H / No Confidentiality impact: The vulnerability does not directly read data (C:N), but the high integrity impact reflects that attacker-controlled navigation violates the browser's fundamental security guarantee about where users will be taken; in downstream attacks, this can lead to credential theft, malware delivery, or security confirmation bypasses
- PR:N/UI:R: No authentication is required; exploitation requires the victim to visit a page with the crafted iframe (user interaction) — typical for a drive-by attack embedded in ad networks, compromised websites, or malicious links
- Chromium-wide impact: As with all Chromium-based browser vulnerabilities, this affects Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, and other Chromium-derivative browsers before they incorporated the fix
Discovery
Reported to Google's security team and patched in Chrome 91.0.4472.77 (May 25, 2021). CISA's June 2022 KEV addition reflects confirmed active exploitation, likely in malvertising or drive-by campaigns that leveraged the popup bypass to redirect users to malicious infrastructure.
Exploitation Context
Popup blocker bypasses in Chromium are used in advertising fraud, malvertising campaigns, and phishing operations that require redirecting user browsers without triggering security prompts. The I:H rating reflects that unauthorized navigation is the core attack — operators of malicious ad networks or compromised websites can use CVE-2021-30533 to force browser navigation to landing pages that install adware, steal credentials, or initiate malicious downloads. The CISA KEV addition one year after the patch suggests the vulnerability was being actively used in ongoing campaigns affecting organizations that had not updated Chromium-based browsers.
Remediation
- Update Google Chrome to 91.0.4472.77 or later — the security fix for CVE-2021-30533 is included
- Update Microsoft Edge to the equivalent Chromium 91-based version or later
- Update all other Chromium-based browsers (Opera, Brave, Vivaldi) to versions incorporating the Chrome 91 patch
- Enable automatic browser updates in organizational policy to ensure security patches are applied promptly
- Consider deploying browser isolation or URL filtering to prevent drive-by redirections to known-malicious domains even if a bypass is used
- Monitor proxy/web gateway logs for unusual iframe-initiated navigations to unfamiliar external domains
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-30533 |
| Vendor / Product | Google — Chromium PopupBlocker |
| NVD Published | 2021-06-07 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 6.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
| Severity | MEDIUM |
| CWE | CWE-863 find similar ↗ |
| CISA KEV Added | 2022-06-27 |
| CISA KEV Deadline | 2022-07-18 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-05-25 | Chrome 91.0.4472.77 released, patching CVE-2021-30533 popup blocker bypass |
| 2021-06-07 | CVE published |
| 2022-06-27 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-07-18 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Chrome 91.0.4472.77 Stable Channel Update | Vendor Advisory |
| NVD — CVE-2021-30533 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |