An update that fixes 24 vulnerabilities is now available.
This update for chromium to version 66.0.3359.181 fixes the following issues:
The following security issues were fixed (boo#1095163):
* CVE-2018-6123: Use after free in Blink. * CVE-2018-6124: Type confusion in Blink. * CVE-2018-6125: Overly permissive policy in WebUSB. * CVE-2018-6126: Heap buffer overflow in Skia. * CVE-2018-6127: Use after free in indexedDB. * CVE-2018-6128: uXSS in Chrome on iOS. * CVE-2018-6129: Out of bounds memory access in WebRTC. * CVE-2018-6130: Out of bounds memory access in WebRTC. * CVE-2018-6131: Incorrect mutability protection in WebAssembly. * CVE-2018-6132: Use of uninitialized memory in WebRTC. * CVE-2018-6133: URL spoof in Omnibox. * CVE-2018-6134: Referrer Policy bypass in Blink. * CVE-2018-6135: UI spoofing in Blink. * CVE-2018-6136: Out of bounds memory access in V8. * CVE-2018-6137: Leak of visited status of page in Blink. * CVE-2018-6138: Overly permissive policy in Extensions. * CVE-2018-6139: Restrictions bypass in the debugger extension API. * CVE-2018-6140: Restrictions bypass in the debugger extension API. * CVE-2018-6141: Heap buffer overflow in Skia. * CVE-2018-6142: Out of bounds memory access in V8. * CVE-2018-6143: Out of bounds memory access in V8. * CVE-2018-6144: Out of bounds memory access in PDFium. * CVE-2018-6145: Incorrect escaping of MathML in Blink. * CVE-2018-6147: Password fields not taking advantage of OS protections in Views.
* Autoplay: Force enable on desktop for Web Audio
This update enables the "Strict site isolation" feature for a larger percentage of users. This feature is a mitigation against the Spectre vulnerabilities. It can be turned on via: chrome://flags/#enable-site-per-process It can be disabled via: chrome://flags/#site-isolation-trial-opt-out
To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product: