A serious vulnerability in the DuckDuckGo Android browser allows cross-origin iframes to execute arbitrary JavaScript in the top-level page’s context, bypassing the Same-Origin Policy (SOP). Dubbed a Universal Cross-Site Scripting (uXSS) flaw, it exploits the AutoConsentAndroid JavaScript bridge. Security researcher Dhiraj Mishra disclosed the issue, which earned a CVSS score of 8.6 (High) on HackerOne. […] The post DuckDuckGo Browser UXSS Flaw in AutoConsent JS Bridge Enables Cross-Origin Code Execution appeared first on Cyber Security News.