CVE-2023-42471 in wave.ai.browser
Summary
by MITRE • 09/11/2023
The wave.ai.browser application through 1.0.35 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. It contains a manifest entry that exports the wave.ai.browser.ui.splash.SplashScreen activity. This activity uses a WebView component to display web content and doesn't adequately validate or sanitize the URI or any extra data passed in the intent by a third party application (with no permissions).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/02/2026
The vulnerability identified as CVE-2023-42471 affects the wave.ai.browser application version 1.0.35 and earlier on Android platforms, representing a critical security flaw that enables remote code execution through malicious intent manipulation. This vulnerability stems from improper handling of inter-process communication within the application's manifest configuration, specifically targeting the exported SplashScreen activity that serves as an entry point for external applications to inject arbitrary data into the browser component.
The technical implementation of this vulnerability involves the exploitation of a manifest-exported activity that utilizes WebView components to render web content without adequate input validation or sanitization mechanisms. When a third-party application sends an intent containing a crafted URI or additional data parameters, the SplashScreen activity fails to properly validate or sanitize these inputs before passing them to the WebView component. This creates a direct pathway for attackers to inject malicious JavaScript code that executes within the context of the browser application, effectively bypassing normal security boundaries and permissions.
The operational impact of this vulnerability extends beyond simple code execution, as it allows attackers to leverage the browser application's privileges to perform actions that would otherwise be restricted. The lack of permission requirements for the exported activity means that any application installed on the device can potentially exploit this flaw, making the attack surface extremely broad. The vulnerability aligns with CWE-79, which describes improper neutralization of input during web page generation, and represents a classic example of a WebView injection vulnerability that can be exploited to compromise user data and device integrity.
From an adversarial perspective, this vulnerability enables threat actors to execute arbitrary JavaScript code through carefully crafted intents, potentially leading to data theft, session hijacking, or further exploitation of the device. The attack vector requires minimal privileges and can be initiated from any application, making it particularly dangerous in environments where users may unknowingly install malicious applications. This flaw directly maps to ATT&CK technique T1059.007 for JavaScript and T1059.001 for command and scripting interpreter, as it allows for the execution of malicious scripts within the browser context.
Mitigation strategies for this vulnerability should focus on immediate remediation through proper manifest configuration and input validation. Applications should avoid exporting activities that handle user-facing content without proper permission checks, and all intent data should undergo rigorous validation before being processed by WebView components. The fix involves removing or properly securing the exported SplashScreen activity, implementing strict input validation for all external data, and ensuring that WebView components are configured with appropriate security settings to prevent script execution from untrusted sources. Additionally, developers should implement proper permission models and avoid using the FLAG_ACTIVITY_NEW_TASK flag inappropriately, as this can inadvertently expose sensitive components to malicious applications.