The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
googlechromereleases.blogspot.com/2015/02/chrome-for-android-update.html
googlechromereleases.blogspot.com/2015/02/stable-channel-update.html
lists.opensuse.org/opensuse-security-announce/2015-03/msg00005.html
rhn.redhat.com/errata/RHSA-2015-0163.html
secunia.com/advisories/62670
secunia.com/advisories/62818
secunia.com/advisories/62917
secunia.com/advisories/62925
security.gentoo.org/glsa/glsa-201502-13.xml
www.securityfocus.com/bid/72497
www.securitytracker.com/id/1031709
www.ubuntu.com/usn/USN-2495-1
code.google.com/p/chromium/issues/detail?id=453979
exchange.xforce.ibmcloud.com/vulnerabilities/100716
src.chromium.org/viewvc/blink?revision=189365&view=revision