CVE-2024-46965

Vulnerability

Overview The Fast Video Downloader: Browser application (allvideo.downloader.browser) through version 1.6-RC1 for Android contains a vulnerability in its DefaultBrowserActivity component. This component improperly handles incoming intents, allowing an attacker to inject arbitrary JavaScript code into the WebView context [1].

Attack

Vector Exploitation requires no special permissions beyond the ability to send intents to the vulnerable component. An attacker can craft a malicious intent that loads attacker-controlled JavaScript, potentially from a third-party application installed on the same device. The attack does not require user interaction beyond launching the affected app [1].

Impact

Successful exploitation enables arbitrary JavaScript execution within the app's WebView. This could lead to data theft (e.g., cookies, stored credentials), phishing attacks by modifying page content, or further compromise of the app's functionality. The full impact depends on the sensitive information accessible to the WebView [1].

Mitigation

Status As of the disclosure date (November 11, 2024), no official patch or update appears to be available for versions up to 1.6-RC1. Users are advised to avoid using the affected application or to restrict its permissions until a fix is released [1].