IBM Application Security Insider

We have identified that Dolphin Browser HD is also vulnerable to Cross-Application Scripting, by using the same attack vector as of the Android Browser vulnerability we disclosed last month. This vulnerability can be exploited by a non-privileged application in order to inject JavaScript code into the context of an arbitrary domain.

Dolphin Browser HD 6.1.0 has been released, which incorporates a fix for this bug. 

The full advisory can be found here.

Demo of the PoC:

We would like to thank the Dolphin team for the efficient and quick way in which it handled this security issue.

Recently we detected a security vulnerability in Opera Mobile for Android which can be exploited by a non-privileged application in order to inject JavaScript code into the
context of any domain; therefore, this vulnerability has the same implications as global XSS, albeit from an installed application rather than another website.

Opera Mobile 11.1 update 2 has been released, which incorporates a fix for this bug.

The complete advisory can be found here.

Demo of the PoC:

We would like to thank the Opera Team for the efficient and quick way in which it handled this security issue.