Using embedded browsers in mobile applications can make those applications vulnerable to cross site scripting attacks.
The user interface is then more portable to other devices and is easier to customize using CSS. But this convenience comes at a cost as Osborn found some developers don’t clean the data sent to their HTML-based user interface.
Google fixed the vulnerability on the server side, without needing to modify the client software. The impact of the vulnerability is small as it does not break the sandboxing of the applications and it does not have access to the cookies and other information accumulated by normal browser sessions.
With more and more applications using embedded browsers, on mobile devices and on the desktop, the potential for exploits that will be able to make effective use of uncleaned data injected into the HTML front-end is increasing.
Skype’s iPhone application suffered from an XSS attack in September and its desktop application suffered one in July.
Application developers embedding a web browser into their application need to ensure they follow the same rules a web application developer should follow when sending data to the interface, ensure no HTML or script tags embed in the data.