Vulnerability resides in the ways Evernote Web Clipper extension interacts with websites, iframes and inject scripts, breaking browser’s same-origin policy (SOP) and domain-isolation mechanisms. The vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue. Over 4,610,000 users have been using the extension for Chrome browser.
Source: https://thehackernews.com/2019/06/evernote-extension-hacking.html