CVE-2019-25056
Description
In Bromite through 78.0.3904.130, there are adblock rules in the release APK; therefore, probing which resources are blocked and which aren't can identify the application version and defeat the User-Agent protection mechanism.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bromite up to 78.0.3904.130 includes adblock rules in the release APK, enabling version fingerprinting and bypass of User-Agent anti-tracking protections.
Vulnerability
In Bromite, a privacy-focused browser based on Chromium, adblock rules are embedded in the release APK as of version 78.0.3904.130 and earlier [1]. By probing which web resources are blocked and which are allowed, a remote website can infer the presence and version of Bromite, defeating the browser's User-Agent protection mechanism that aims to prevent fingerprinting [1]. The vulnerability exists because the adblock rules are static and bundled with the application, rather than being fetched dynamically or obfuscated. Affected versions include all releases up to and including 78.0.3904.130 [1].
Exploitation
An attacker (a remote web server) does not require any special privileges, authentication, or user interaction beyond the victim visiting a malicious or attacker-controlled webpage. By embedding specific resources on the page and observing whether they are blocked (for example, via JavaScript load event handlers or CSS detection), the attacker can systematically test which adblock rules are active. The set of blocked resources uniquely identifies the Bromite version, allowing the attacker to defeat the User-Agent spoofing protection and fingerprint the exact browser build [1].
Impact
Successful exploitation allows a remote website to identify the exact version of Bromite in use, bypassing the browser's User-Agent privacy protection. This information disclosure undermines the anti-fingerprinting goal of the User-Agent randomization feature, potentially enabling targeted attacks based on known vulnerabilities in that specific version. The impact is limited to version detection and does not directly enable code execution or data exfiltration, but it weakens the privacy guarantees of the browser [1].
Mitigation
As of the reference [1], the issue was acknowledged by the Bromite project. Users should upgrade to a version newer than 78.0.3904.130, if available. The fix involves making the adblock rules dynamic (downloaded at runtime) to prevent static fingerprinting [1]. No workaround is documented for affected versions; the only mitigation is to update to a patched build. The vulnerability has not been listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/bromite/bromite/issues/2mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.