> The ColorOS Internet Browser com.heytap.browser application 45.10.3.4.1 for Android allows a remote attacker to execute arbitrary JavaScript code via the com.android.browser.RealBrowserActivity component.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> CWE-94: Improper Control of Generation of Code ('Code Injection')
>
> ------------------------------------------
>
> [Vendor of Product]
> ColorOS
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Internet Browser (com.heytap.browser) - Version 45.10.3.4.1
>
> ------------------------------------------
>
> [Affected Component]
> Exported Activity: com.android.browser.RealBrowserActivity
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> A remote attacker or any installed application (with no permissions) can execute arbitrary JavaScript code via an crafted intent to the com.android.browser.RealBrowserActivity activity
>
> ------------------------------------------
>
> [Reference]
> https://github.com/actuator/com.heytap.browser
> https://play.google.com/store/apps/details?id=com.heytap.browser
>
> ------------------------------------------
>
> [Discoverer]
> Edward Warren