Baloch said via email that although Google has issued a patch for the vulnerability, it’s not exactly clear which versions it protects. The email from Google’s security team said that the fix was applied for Jelly Bean users, which means users of Android 4.1-4.3. So there’s no fix for downstream users, apparently.
The Android browser was the default installed browser on Android devices for a time, but Google has stopped supporting it. Chrome is now the preferred browser on Android devices.
Baloch, who discovered a separate SOP bypass flaw in the Android browser earlier this year, said that there are several other browsers that contain the newer SOP bypass flaw, including Safari 5.0.
“There are tons of other browsers with huge userbase that are vulnerable to same vulnerability, Maxthon, CM Browser, Safari Browser 5.0 to name a few. In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or firefox. I believe there are several other vulnerabilities that were addresses in chrome webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely,” he said.