Impact
Arc Search for Android has a window.open race condition that allows a remote attacker to cause the address bar to display a legitimate domain name while rendering attacker‑controlled content. This flaw, classified as CWE‑1021 (Incorrect Resource Access Control), lets a malicious site masquerade as a trusted site, enabling phishing attacks against users who trust the displayed URL.
Affected Systems
The affected product is Arc Search from The Browser Company of New York, available for Android devices. Version information is not provided in the CVE data, so all releases of Arc Search for Android should be considered potentially vulnerable until a patch is released.
Risk and Exploitability
The CVSS score of 7.4 denotes a high‑impact vulnerability, while the EPSS score of less than 1% indicates a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Attackers can trigger the race condition by inducing a window.open call, likely via a crafted link or malicious content accessed through Arc Search. If exploited, the attacker can perform phishing attacks that appear legitimate to users, potentially compromising credentials or personal information.
OpenCVE Enrichment