We have identified that Dolphin Browser HD is also vulnerable to Cross-Application Scripting, by using the same attack vector as of the Android Browser vulnerability we disclosed last month. This vulnerability can be exploited by a non-privileged application in order to inject JavaScript code into the context of an arbitrary domain.
Dolphin Browser HD 6.1.0 has been released, which incorporates a fix for this bug.
The full advisory can be found here.
Demo of the PoC:
We would like to thank the Dolphin team for the efficient and quick way in which it handled this security issue.
Comments