CVE-2024-21382 is a medium-severity information disclosure vulnerability affecting Microsoft Edge (Chromium-based) on Android devices. The root cause is a permissive cross-domain policy configuration that allows untrusted domains to access sensitive information. Specifically, this vulnerability is categorized under CWE-942, which involves overly permissive cross-domain policies that do not properly restrict which domains can interact with web resources. In this case, Microsoft Edge's Android version improperly allows cross-origin requests from untrusted domains, potentially enabling malicious websites to access or leak sensitive data from the browser or web applications running within it. The vulnerability requires no privileges and no authentication but does require user interaction, such as visiting a malicious website. The CVSS 3.1 base score is 4.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, and limited confidentiality impact without affecting integrity or availability. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. This vulnerability primarily impacts the confidentiality of data accessible via the browser on Android devices running the affected version (1.0.0) of Microsoft Edge Chromium-based browser.

For European organizations, this vulnerability poses a risk of sensitive information leakage through the Microsoft Edge browser on Android devices. Since many employees use mobile devices for accessing corporate resources, a malicious website could exploit this flaw to extract confidential data such as session tokens, personal information, or internal web application data if accessed via the vulnerable browser. This could lead to privacy breaches, unauthorized access to corporate systems, or data exfiltration. The impact is particularly relevant for sectors handling sensitive or regulated data, such as finance, healthcare, and government agencies within Europe. However, the medium severity and requirement for user interaction limit the likelihood of widespread automated exploitation. Still, targeted phishing or social engineering campaigns could leverage this vulnerability to compromise user data confidentiality.

European organizations should implement the following specific mitigation measures: 1) Enforce strict mobile device management (MDM) policies that restrict installation or usage of outdated or vulnerable browser versions, ensuring Microsoft Edge is updated promptly once patches are released. 2) Educate users about the risks of visiting untrusted websites and the importance of cautious browsing behavior on mobile devices. 3) Use network-level protections such as web filtering and DNS filtering to block access to known malicious domains that could exploit this vulnerability. 4) Monitor network traffic for unusual data flows that might indicate information leakage from mobile devices. 5) Consider deploying alternative browsers with more restrictive cross-domain policies on managed Android devices until the vulnerability is patched. 6) Coordinate with Microsoft for timely patch deployment and verify the update status across all Android endpoints. These measures go beyond generic advice by focusing on mobile device management, user awareness, and network controls tailored to the nature of this vulnerability.