关键信息 Vulnerability Details Race Condition: - In the devtools API server and with insufficient permission checks, extensions with the permission can execute arbitrary JS on any page. Execution on : - Used to run JS on executing to apply arbitrary user policies to the browser. Policy-Driven Browser Switcher: - Set policies like , , etc., which trigger a browser switcher to execute specified commands. Policy Trigger: - An extension navigates to to trigger the switcher. Explanation Devtools API Permissions Bypass: - lacks checks preventing unauthorized script execution. - Exploit verifies opening , clicking "current settings," and opening devtools. Calling runs arbitrary JS on the page. Sandbox Escape with : - Page allows setting local policies for testing, disabled by default but exploited for policy enforcement.