Tu Yafeng Via Browser Cross-Site Scripting Vulnerability in Javascript Bridge Component
Vulnerability
A cross-site scripting vulnerability has been identified in Tu Yafeng Via Browser for Android, affecting versions through 5.9.0. This issue arises from an unknown processing flaw in the Javascript Bridge component, allowing remote attackers to manipulate content and execute scripts in the context of other websites. The exploitation of this vulnerability could lead to the theft of session cookies and impersonation of logged-in users.
Impact
Exploitation of this vulnerability bypasses the Same Origin Policy, enabling universal cross-site scripting. This allows an attacker to execute scripts on behalf of a user, potentially leading to session hijacking.
Reproduction
The vulnerability can be reproduced by calling the 'via.searchText' function with a 'javascript:' URL payload. This function, exposed by the browser's Javascript API, opens the URL in the browser. By redirecting to another website after the JavaScript payload is executed, the cross-site scripting vulnerability can be exploited.
Remediation
Users are advised to update to the patched version of Via Browser.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.