Microsoft will not close the vulnerability found in the browser
By Prempal Singh
Security specialists from Cisco discovered a vulnerability that exists in all popular browsers,including Chrome, Safari and Edge. Unlike Google and Apple, which have already released patches, Microsoft has not done so. They believe that this is not a bug, but a browser.
Vulnerabilities CVE-2017-5033 and CVE-2017-2419 are in older versions of Chrome and Safari, so you need to update to at least the version of Chrome 57.0.2987.98, Safari 10.1 and iOS 10.3. The bug was found in Edge version 40.15063, in more modern versions it also is.
The security vulnerability is caused by the processing by the browser about: blank, which makes cross-site scripting possible, which will give access to user information. Such vulnerabilities are not as dangerous as remote code execution (RCE), but without a patch, if you bypass the policy of the Content Security server, confidential data can be stolen.
Attacks XSS can even give access to user accounts. Content Security Policy is designed to prevent them and allows the server to create a white list of resources that you can trust to run in the browser.
Users are encouraged to always update their browsers to the latest version.