The problem was discovered by prolific Google researcher Tavis Ormandy, who said on Twitter that "there was a secret URL in WebEx that allowed any website to run arbitrary code." WebEx uses a coded link (cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html) to remotely start meetings on connected machines with the Chrome extension installed.
If a malicious player figured that out, they could place the URL on a web page (hidden in an invisible iframe for instance), where it would trigger the WebEx extension when you visit. From there, the attacker can execute any code they want and take full control of your machine.
The problems is particularly severe because some 20 million people use WebEx, and many of them are at corporations. That could leave sensitive materials, including private customer or employee data, open to theft, ransomware and other types of criminal activity.
Cisco patched the bug just two days after Ormandy privately reported it -- the patched version, as mentioned, is 1.03. I have the Chrome extension myself (to my surprise), but luckily, the updated version was already installed when I got up this morning.
However, Valsorda called the patch "weak," as it just shows a popup that says "WebEx meeting client will be launched if you accept this request." If you select "OK," instead of "Cancel" when you visit a malicious site, malware can still be installed. For that reason, he recommends that you install a custom Chrome profile if you really need to run WebEx. His detailed instructions to do that are here.