CVE-2024-45489

Name of the Vulnerable Software and Affected Versions Arc versions prior to 2024-08-26

Description The issue is related to a remote code execution vulnerability in JavaScript boosts. Normally, boosts running JavaScript cannot be shared by default; however, due to misconfigured Firebase ACLs, it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary JavaScript on that browser in a privileged context. There are no reported affected users.

Recommendations For Arc versions prior to 2024-08-26, update to a version released after 2024-08-26 to resolve the issue. As a temporary workaround, consider restricting access to JavaScript boosts to minimize the risk of exploitation.