CVE-2024-9285

Vulnerability

Overview

The vulnerability resides in the Javascript Bridge component of Via Browser for Android (versions up to 5.9.0). The exact processing flaw leads to improper handling of user-controlled input, enabling cross-site scripting (XSS) attacks. The issue is classified as problematic with a CVSS v3 score of 4.3 (Medium). [1]

Exploitation

An attacker can trigger the vulnerability remotely, without requiring prior authentication or user interaction beyond normal browser usage. The attack vector involves manipulating the Javascript Bridge to inject and execute arbitrary JavaScript code within the browser context. The exploit has been publicly disclosed, increasing the risk of practical attacks. [1]

Impact

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the browser, potentially leading to data theft, session hijacking, or other client-side attacks. The vulnerability may also be chained with other bugs—as demonstrated in a related advisory—to achieve more severe outcomes such as remote code execution with ASLR bypass. [1]

Mitigation

A patch is recommended by the vendor to fix the issue. Users should update Via Browser to a patched version as soon as possible. No workarounds have been published. The vulnerability has been publicly disclosed with a proof of concept, so applying the patch is urgent. [1]