CVE-2011-2357

Name of the Vulnerable Software and Affected Versions Android versions 2.3.4 through 3.1

Description A cross-application scripting issue exists in the Browser URL loading functionality, allowing local applications to bypass the sandbox and execute arbitrary Javascript in arbitrary domains. This can be achieved by either causing the maximum number of tabs to be opened and then loading a URI to the targeted domain into the current tab, or by making two startActivity function calls beginning with the targeted domain's URI followed by the malicious Javascript while the UI focus is still associated with the targeted domain.

Recommendations For Android versions 2.3.4 through 3.1, consider restricting access to the Browser URL loading functionality to minimize the risk of exploitation. As a temporary workaround, avoid using the startActivity function to load URIs from untrusted sources until a patch is available.