CVE-2024-46966 is a critical vulnerability identified in the Ikhgur mn.ikhgur.khotoch Android application, also known as Video Downloader Pro & Browser, up to version 1.0.42. The flaw resides in the mn.ikhgur.khotoch.MainActivity component, which improperly handles JavaScript code execution, allowing attackers to inject and execute arbitrary JavaScript. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the application fails to properly sanitize or restrict code input, leading to remote code execution capabilities. The vulnerability can be exploited remotely without requiring authentication (AV:N/PR:N), but it does require user interaction (UI:R), such as opening a malicious link or content within the app. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable application context. The CVSS v3.1 base score is 8.1, reflecting high confidentiality and integrity impacts (C:H/I:H) but no impact on availability (A:N). This means attackers can potentially steal sensitive data or manipulate app behavior but cannot cause denial of service. No patches or fixes have been publicly disclosed yet, and no known exploits have been detected in the wild. The vulnerability poses a significant risk to users of this app, particularly on Android devices, and could be leveraged in targeted attacks or widespread exploitation once weaponized.

The vulnerability allows attackers to execute arbitrary JavaScript code within the context of the vulnerable application, compromising the confidentiality and integrity of user data. This could lead to unauthorized access to sensitive information, session hijacking, or manipulation of app functionality. Since the vulnerability does not affect availability, denial-of-service attacks are unlikely. However, the ability to execute arbitrary code remotely without authentication significantly raises the risk of exploitation, especially if combined with social engineering to induce user interaction. Organizations relying on this app for video downloading or browsing on Android devices may face data breaches, loss of user trust, and potential regulatory consequences. The lack of a patch increases exposure time, and attackers could develop exploits to target users globally. The threat is particularly relevant for enterprises with BYOD policies or mobile workforces using this app, as well as individual users in regions where the app is popular.

1. Immediately discontinue use of the vulnerable versions of the Ikhgur mn.ikhgur.khotoch app until a patched version is released. 2. Monitor official vendor channels and security advisories for updates or patches addressing CVE-2024-46966. 3. Restrict or disable JavaScript execution within the app if configurable, to reduce attack surface. 4. Educate users to avoid interacting with suspicious links or content within the app that could trigger the vulnerability. 5. Employ mobile device management (MDM) solutions to enforce app version controls and restrict installation of vulnerable apps. 6. Implement network-level protections such as web filtering and intrusion detection to identify and block malicious payloads targeting this vulnerability. 7. Conduct regular security audits on mobile applications used within the organization to identify and mitigate similar risks proactively. 8. Prepare incident response plans to quickly address potential exploitation attempts involving this vulnerability.