CVE-2024-45489 is a critical remote code execution (RCE) vulnerability identified in Arc browsers released before August 26, 2024. The vulnerability stems from improperly configured Firebase Access Control Lists (ACLs) that govern the sharing and updating of JavaScript boosts—small scripts or extensions that run within the browser context. Normally, JavaScript boosts cannot be shared by default to prevent unauthorized code execution. However, due to the misconfiguration, an attacker can exploit the ACLs to create or update a boost using another user's identifier. This action causes the malicious boost to be installed in the victim's browser and executed with privileged context, allowing arbitrary JavaScript code execution. The attack requires no authentication or user interaction, making it highly exploitable remotely over the network. The vulnerability is classified under CWE-284 (Improper Access Control), highlighting the root cause as insufficient enforcement of access permissions. The CVSS v3.1 base score is 9.8 (critical), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, low attack complexity, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. Despite its severity, the vulnerability is noted as a no-action cloud vulnerability with zero affected users, implying that either the vulnerable configuration is not deployed in production or no exploitation has been observed. No patches or exploits are currently reported, but the risk remains high for any deployment using vulnerable Arc versions with misconfigured Firebase ACLs.

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript code within the victim's browser with elevated privileges. This can lead to full compromise of the user's browser environment, including theft of sensitive data, session hijacking, installation of persistent malicious scripts, and potentially lateral movement within internal networks if the browser is used for accessing corporate resources. The complete compromise of confidentiality, integrity, and availability of the browser session poses severe risks to individual users and organizations relying on Arc browsers. Given the ease of exploitation (no authentication or user interaction required) and network accessibility, the potential impact is critical. However, the current impact is mitigated by the absence of known affected users or active exploitation. Organizations using Arc browsers in environments where Firebase ACLs are misconfigured are at significant risk if the vulnerability is not addressed promptly.

1. Immediately update Arc browsers to versions released after 2024-08-26 once patches become available to eliminate the vulnerability. 2. Review and correct Firebase ACL configurations to ensure that boosts cannot be created or updated using another user's ID, enforcing strict access controls and least privilege principles. 3. Implement monitoring and alerting for unusual boost creation or modification activities within Firebase to detect potential exploitation attempts. 4. Conduct security audits of all JavaScript boosts and extensions deployed in the environment to verify their integrity and origin. 5. Educate users and administrators about the risks of sharing boosts and the importance of secure configuration management. 6. Employ Content Security Policy (CSP) headers and browser security features to limit the impact of arbitrary JavaScript execution if exploitation occurs. 7. Maintain an incident response plan to quickly isolate and remediate compromised browsers or accounts if exploitation is detected.