None of the flaws are listed as being actively exploited, but the release notes for Chrome 104 do contain a few notable, albeit sparsely described, fixes for high severity flaws that affect the Chrome 'Omnibox' (address bar), Google's optional online protection Safe Browsing, the Dawn WebGPU implementation in Chrome, and Google's Apple AirDrop-like Nearby Share feature for sharing files between Chromebook and Android devices.
Google awarded an anonymous researcher $15,000 for the Omnibox memory-related 'use after free' issue tracked as CVE-2022-2603.
Safe Browsing in Chrome was also affected by a high severity use after free (CVE-2022-2604), and a medium severity issue caused by insufficient validation of untrusted input (CVE-2022-2622).
Safe Browsing is used by Chrome and other major browsers to show users a warning before they visit a dangerous website or download a malicious app.
The high severity issue was reported by Nan Wang and Guang Gong of 360 Alpha Lab at Qihoo 360 on on June 10. The pair also reported a high severity use after free in Chrome's Managed devices API (CVE-2022-2606), and a medium severity use after free in Chrome's WebUI (CVE-2022-2620).
The flaw in Chrome's Nearby Share feature was also a use after free flaw (CVE-2022-2609).
Details about the bugs are scant because Google restricts access to bug details in its release notes "until a majority of users are updated with a fix." It also may restrict access if the bug exists in a third-party library that other projects depend on, but haven't yet fixed.
U2F USB two-factor authentication security keys are supported by WebAuthn, so aren't affected by the change, but websites will need to migrate to the WebAuthn API. The change should come as no surprise to web developers as Google has been warning about the change for the past two years.
Google has also promoted Chrome 104 to its new extended stable channel for Windows and Mac.