PT-2012-46: Cross-application scripting in Google Chrome on Android

Vulnerable software

Google Chrome on Android
Version: 18.0.1025123 and earlier

Application link:

Severity level

Severity level: Medium
Impact: Cross-application scripting
Access Vector: Remote  

CVSS v2:
Base Score: 4.3
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE: CVE-2012-4904

Software description

Google Chrome is a web browser for Android.

Vulnerability description

The specialists of the Positive Research center have detected "Cross-application scripting (UXSS)" vulnerability in Google Chrome on Android.

Cross-application scripting vulnerability in Google Chrome on Android allows remote attackers to inject arbitrary web script via unspecified vectors, as demonstrated by "Universal XSS (UXSS)" attacks against the current tab.

How to fix

Update your software up to the latest version

Advisory status

20.07.2012 - Vendor is notified
20.07.2012 - Vendor gets vulnerability details
12.09.2012 - Vendor releases fixed version and details
21.09.2012 - Public disclosure


The vulnerability has discovered by Artem Chaykin, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: