Chrome 77 is launched today by the Chrome Team. The Chrome 77 is for Windows, Mac, Linux, Android, and iOS.
The release includes new performance metrics, form capabilities, and Origin Trials.
Chrome 77.0.3865.75 contains a number of fixes and improvements.
How To Get Chrome 77:
You can update to the latest version now using Chrome’s built-in updater or download it directly from google.com/chrome.
New Performance metrics, forms, and Origin Trials:
Google is always finding a way to speed up the web and Chrome is its main tool for doing so. Chrome 77 introduces two new performance metrics which will help developers to measure how quickly the main content of a web page loads and is made visible to users also.
- Largest Contentful Paint : Attempts to provide more meaningful data by using the largest content element as a proxy for when the main content of the page is likely visible to users.
- PerformanceEventTiming : It provides timing information about the latency of the first discrete user interaction and then Chrome measures for a key down, mouse down, click, or the combination of pointer down and pointer up. This is a subset of the Event Timing API but can be exposed in advance to help measure and optimize responsiveness.
Chrome 77 also includes site isolation improvements to protect cross-site data such as cookies and HTTP resources in attacker-controlled websites. Site isolation will be enabled on some Android devices for sites where mobile users enter passwords.
Chrome 77 also has an updated the Google services like:
- Google Maps,
- Google News,
- Google Translate
It also prompts you to set Chrome as the default browser. You can disable the new flow with the PromotionalTabsEnabled policy.
Chrome for Android and iOS
The full changelog isn’t up yet but Chrome 77 is rolling out slowly for Android on Google Play.
Chrome 77 for iOS is rolling out on Apple’s App Store. It includes four improvements:
- A new language settings page, giving you more control over which languages Chrome offers translations for.
- You can clear your browsing data from a specific range of time, like the past hour or past day.
- Omnibox suggestions are easier to read with added thumbnails and icons.
52 New Security Fixes:
Chrome 77 has implemented 52 security fixes. The following were found by external researchers:
- [$TBD] Critical CVE-2019-5870: Use-after-free in media. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-08-29
- [$7500] High CVE-2019-5871: Heap overflow in Skia. Reported by Anonymous on 2019-08-03
- [$3000] High CVE-2019-5872: Use-after-free in Mojo. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 on 2019-07-05
- [$3000] High CVE-2019-5873: URL bar spoofing on iOS. Reported by Khalil Zhani on 2019-07-31
- [$3000] High CVE-2019-5874: External URIs may trigger other browsers. Reported by James Lee (@Windowsrcer) on 2019-08-01
- [$2000] High CVE-2019-5875: URL bar spoof via download redirect. Reported by Khalil Zhani on 2019-06-28
- [$TBD] High CVE-2019-5876: Use-after-free in media. Reported by Man Yue Mo of Semmle Security Research Team on 2019-08-23
- [$TBD] High CVE-2019-5877: Out-of-bounds access in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-08-29
- [$TBD] High CVE-2019-5878: Use-after-free in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-09-03
- [$3000] Medium CVE-2019-5879: Extension can bypass same origin policy. Reported by Jinseo Kim on 2019-07-20
- [$2000] Medium CVE-2019-5880: SameSite cookie bypass. Reported by Jun Kokatsu (@shhnjk) on 2018-04-11
- [$2000] Medium CVE-2019-5881: Arbitrary read in SwiftShader. Reported by Zhe Jin（金哲），Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 on 2019-07-03
- [$1000] Medium CVE-2019-13659: URL spoof. Reported by Lnyas Zhang on 2018-07-30
- [$1000] Medium CVE-2019-13660: Full screen notification overlap. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-10
- [$1000] Medium CVE-2019-13661: Full screen notification spoof. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-09-11
- [$1000] Medium CVE-2019-13662: CSP bypass. Reported by David Erceg on 2019-05-28
- [$500] Medium CVE-2019-13663: IDN spoof. Reported by Lnyas Zhang on 2018-07-14
- [$500] Medium CVE-2019-13664: CSRF bypass. Reported by thomas “zemnmez” shadwell on 2018-12-16
- [$500] Medium CVE-2019-13665: Multiple file download protection bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-05
- [$500] Medium CVE-2019-13666: Side channel using storage size estimate. Reported by Tom Van Goethem from imec-DistriNet, KU Leuven on 2019-05-07
- [$500] Medium CVE-2019-13667: URI bar spoof when using external app URIs. Reported by Khalil Zhani on 2019-06-11
- [$500] Medium CVE-2019-13668: Global window leak via console. Reported by David Erceg on 2019-07-22
- [$N/A] Medium CVE-2019-13669: HTTP authentication spoof. Reported by Khalil Zhani on 2019-05-30
- [$N/A] Medium CVE-2019-13670: V8 memory corruption in regex. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-07-03
- [$TBD] Medium CVE-2019-13671: Dialog box fails to show origin. Reported by xisigr of Tencent’s Xuanwu Lab on 2017-02-27
- [$TBD] Medium CVE-2019-13673: Cross-origin information leak using devtools. Reported by David Erceg on 2019-08-26
- [$500] Low CVE-2019-13674: IDN spoofing. Reported by Khalil Zhani on 2018-10-18
- [$500] Low CVE-2019-13675: Extensions can be disabled by trailing slash. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-02-07
- [$TBD] Low CVE-2019-13676: Google URI shown for certificate warning. Reported by Wenxu Wu (@ma7h1as) of Tencent Security Xuanwu Lab on 2018-08-17
- [$TBD] Low CVE-2019-13677: Chrome web store origin needs to be isolated. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-03-06
- [$TBD] Low CVE-2019-13678: Download dialog spoofing. Reported by Ronni Skansing on 2019-03-27
- [$TBD] Low CVE-2019-13679: User gesture needed for printing. Reported by Conrad Irwin, Superhuman on 2019-05-31
- [$TBD] Low CVE-2019-13680: IP address spoofing to servers. Reported by Thijs Alkemade from Computest on 2019-06-03
- [$TBD] Low CVE-2019-13681: Bypass on download restrictions. Reported by David Erceg on 2019-06-04
- [$TBD] Low CVE-2019-13682: Site isolation bypass. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-06-07
- [$TBD] Low CVE-2019-13683: Exceptions leaked by devtools. Reported by David Erceg on 2019-07-25
-  Various fixes from internal audits, fuzzing and other initiatives
Google spent at least $33,500 in bug bounties(a reward offered to a person who identifies an error or vulnerability in a computer program or system) for this release.