Recently IBM researchers detected a security vulnerability in Android’s Browser which can be exploited by a non-privileged application in order to inject JavaScript code into the context of any domain.This vulnerability has the same implications as global XSS, albeit from an installed application rather than another website.Android 2.3.5 and 3.2 have been released, which incorporate a fix for this bug. Patches are available for Android 2.2.* and will be released at a later date. The complete advisory can be found here. The browser holds sensitive information such as cookies, cache and history, and injected JavaScript could make it possible to extract that information, indirectly breaking the Android sandbox architecture. The attack exploits flaws in how the browser reacts to calls to view web pages from other applications.
IBM demonstrates the proof of concept for Android Cross Application scripting
