CVE-2014-4968:
Remote code execution via the WebView.addJavascriptInterface API in the Boat Browser Android app (versions 8.0 and 8.0.1), allowing an attacker to run arbitrary code through a crafted webpage (related to CVE-2012-6636).
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Feb 12, 2020
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:4.3
- EPSS Percentile:89%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:REQUIRED
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Remote code execution via the WebView.addJavascriptInterface API in the Boat Browser Android app (versions 8.0 and 8.0.1), allowing an attacker to run arbitrary code through a crafted webpage (related to CVE-2012-6636).
Overview
This CVE describes a remote code execution flaw in Boat Browser for Android, caused by insecure use of WebView and JavaScript interfaces via WebView.addJavascriptInterface. An attacker could deliver a crafted webpage that leverages these interfaces to execute arbitrary code within the app’s context. The vulnerability is tied to older Android/WebView security practices and is noted as related to CVE-2012-6636. The affected versions are Boat Browser for Android 8.0 and 8.0.1.
Remediation
- Action 1: If you use Boat Browser, upgrade to the latest available version that fixes the WebView/JavaScriptInterface misuse, or migrate to a more secure browser.
- Action 2: If you are a developer using WebView in apps, stop using WebView.addJavascriptInterface with untrusted content. Expose only minimal, well-defined interfaces and consider alternative communication mechanisms (such as WebMessages) where possible.
- Action 3: Harden WebView security in any app that uses WebView: disable or tightly restrict JavaScript exposure when not needed (setJavaScriptEnabled to false if feasible), restrict access to local and file content (disable setAllowFileAccess and related flags where appropriate), and limit content loaded into WebView to trusted sources (use https and strict Content Security Policy).
- Action 4: Enforce platform and library updates: apply the latest Android security patches and any Boat Browser security updates, and monitor for new advisories.
- Action 5: Validate mitigations with testing using controlled, crafted payloads to ensure the vulnerability is not exploitable after updates.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
