CVE-2009-2352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2352): Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header or (2) specifying the content of a Refresh header, a related issue to CVE-2009-1312.
I'm not sure about the versioning here, voyageur do you have information on this one, too?
This looks like http://code.google.com/p/chromium/issues/detail?id=9860 (or 9862 to be precise, but this one is private) Anyway, official google chrome 1.0.154.48 was revision 14361: http://src.chromium.org/viewvc/chrome/releases/1.0.154.59/src/chrome/?sortby=log&view=log So for us it's fixed (at least) from chromium-bin-0_p14361, oldest in tree currently is 20016
Thanks! Closing INVALID.