Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Lifecycle Timeline
7DescriptionCVE.org
ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
AnalysisAI
ArcSearch for Android versions prior to 1.12.7 contains an address bar spoofing vulnerability that allows attackers to display a different domain in the browser's address bar than the actual content being rendered. Users of ArcSearch for Android prior to version 1.12.7 are affected, and an attacker can craft malicious web content that, after user interaction, deceives users into believing they are visiting a legitimate domain while viewing attacker-controlled content. There is no indication of active exploitation in KEV data, and EPSS data is not provided.
Technical ContextAI
The vulnerability affects ArcSearch for Android, a mobile browser application developed by The Browser Company of New York (CPE: cpe:2.3:a:the_browsercompany_of_new_york:arcsearch:*:*:*:*:*:*:*:*). This is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), which typically involves failures in properly synchronizing the displayed URL with the actual content origin. The root cause likely involves timing issues or race conditions in updating the address bar when content changes, or improper handling of navigation events that allow the visual indicator (address bar) to become desynchronized from the actual document origin. The tags reference XSS and Google, suggesting potential exploitation vectors involving cross-site scripting techniques or exploitation through Google-hosted content.
RemediationAI
Users should immediately upgrade ArcSearch for Android to version 1.12.7 or later, which addresses this address bar spoofing vulnerability. The patch can be obtained through the Google Play Store by updating the ArcSearch application or by visiting the vendor's security bulletin at https://arc.net/security/bulletins for direct download options and detailed upgrade instructions. Until patching is completed, users should exercise extreme caution when interacting with unfamiliar web content through ArcSearch for Android, manually verify URLs before entering credentials or sensitive information, and consider using an alternative mobile browser for accessing high-value targets such as banking or corporate authentication portals. Organizations deploying mobile device management solutions should push the update to managed devices and consider temporarily blocking access to sensitive resources from unpatched ArcSearch browser instances through user-agent filtering or conditional access policies.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13808