CVE-2024-46962 is a critical vulnerability identified in the Android application 'Master Video Downloader' (com.downloader.video.fast), specifically affecting versions through 2.0. The vulnerability resides in the SpeedMainAct component, which improperly handles JavaScript code execution. This flaw allows an attacker to execute arbitrary JavaScript code remotely without requiring any privileges or user interaction, making it a highly exploitable remote code execution (RCE) vulnerability. The root cause is linked to CWE-94, indicating improper control over code generation, which in this case is JavaScript code execution within the app’s context. The CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) highlights that the attack vector is network-based, with low attack complexity, no privileges or user interaction needed, and results in high confidentiality and integrity impacts, though availability remains unaffected. While no public exploits have been reported yet, the vulnerability’s nature suggests that attackers could leverage it to execute malicious scripts, potentially stealing sensitive data or manipulating app behavior. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation. Given the widespread use of Android devices and the popularity of video downloader apps, this vulnerability poses a significant risk to end users and organizations that utilize this app for media downloading purposes.

The impact of CVE-2024-46962 is substantial due to its ability to allow remote code execution without authentication or user interaction. Attackers exploiting this vulnerability can execute arbitrary JavaScript code within the context of the vulnerable app, potentially leading to unauthorized access to sensitive user data, manipulation of app functions, or further compromise of the device. Confidentiality and integrity are severely impacted, as attackers could exfiltrate personal information or alter app behavior to serve malicious purposes. Although availability is not directly affected, the compromise could facilitate subsequent attacks that degrade device or network performance. Organizations with employees using this app risk data leakage and potential lateral movement within corporate networks if devices are compromised. The global reach of Android devices means the threat could affect millions of users, especially in regions where the app is popular. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for mitigation given the vulnerability’s critical severity and ease of exploitation.

To mitigate CVE-2024-46962, users and organizations should immediately check for updates from the app developer and apply any available patches once released. Until a patch is available, consider uninstalling the 'Master Video Downloader' app or replacing it with a trusted alternative. Employ mobile device management (MDM) solutions to restrict installation of vulnerable apps and monitor app behavior for anomalies. Network-level controls such as web filtering and intrusion detection systems can help detect and block malicious payloads targeting this vulnerability. Developers and security teams should conduct code reviews focusing on JavaScript execution contexts and implement strict input validation and sanitization to prevent code injection. Additionally, sandboxing the app’s JavaScript execution environment can limit the impact of potential exploits. Educate users about the risks of installing apps from untrusted sources and the importance of timely updates. Finally, monitor threat intelligence feeds for any emerging exploits or patches related to this CVE.