How is CVE-2026-12348 exploited?

Network reachability (required): The attacker must reach the victim over the network, typically by luring them to a malicious URL or injecting content on a reachable page. Authentication (not-required): No account or credentials are required; the attacker needs only to get the victim to load attacker-controlled content. Victim interaction (required): The victim must interact with a malicious link or page that triggers the window.open race condition, making this a social-engineering-dependent attack. Attack complexity (info): Attack complexity is low; the exploit is reliable and does not depend on race-condition timing between attacker and defender, special memory layout, or other unpredictable environmental factors beyond the window.open mechanism described in the advisory.

What is the impact of CVE-2026-12348?

The attacker renders fully attacker-controlled HTML, JavaScript, and form content inside the victim's browser tab while the address bar displays a trusted domain the victim recognizes. Victims who enter credentials, payment details, or other sensitive data on the spoofed page hand that data directly to the attacker's infrastructure. Because the spoofed origin appears legitimate, browser-level trust indicators (HTTPS lock, domain display) provide no warning, increasing the effective success rate of credential-harvesting campaigns.

Back to search

HIGHCVE-2026-12348Published 2026-06-16Modified 2026-06-16CNA BCNY

CVE-2026-12348: Address Bar Spoofing in Arc Search for Android (window.open race condition)

Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: 0
Affected Products: 1

HarborGuard Analysis

Synopsis

Address bar spoofing in Arc Search for Android (all versions) allows a remote attacker to display a trusted domain in the address bar while the browser actually renders attacker-controlled content. The attack is reachable over the network, requires no authentication, and only needs the victim to interact with a malicious link or page triggering a window.open race condition. Successful exploitation enables convincing phishing attacks by making fraudulent pages appear to originate from a legitimate, trusted domain. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-12348 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle or depend on Arc Search for Android components.

Available

Triage

HarborGuard scores this CVE at 7.4 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to prioritize routing. Triage findings are delivered to the inbox or ticketing integration configured for the affected team within each customer org.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will follow without manual intervention once the fix is available.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim over the network, typically by luring them to a malicious URL or injecting content on a reachable page.
AuthenticationNot required
No account or credentials are required; the attacker needs only to get the victim to load attacker-controlled content.
Victim interactionRequired
The victim must interact with a malicious link or page that triggers the window.open race condition, making this a social-engineering-dependent attack.
Attack complexityDetail
Attack complexity is low; the exploit is reliable and does not depend on race-condition timing between attacker and defender, special memory layout, or other unpredictable environmental factors beyond the window.open mechanism described in the advisory.

Blast Radius

The attacker renders fully attacker-controlled HTML, JavaScript, and form content inside the victim's browser tab while the address bar displays a trusted domain the victim recognizes.
Victims who enter credentials, payment details, or other sensitive data on the spoofed page hand that data directly to the attacker's infrastructure.
Because the spoofed origin appears legitimate, browser-level trust indicators (HTTPS lock, domain display) provide no warning, increasing the effective success rate of credential-harvesting campaigns.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously across every ingest cycle because no upstream fix exists yet. In the interim, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation to restrict outbound connections from affected mobile-companion or browser-wrapper container workloads, and feature-flag gating to disable components that embed Arc Search for Android until a patch is available. The moment The Browser Company of New York publishes a corrected release, HarborGuard will ingest it, mark a patched rebuild as available, and, for customers who opt into auto-remediation, trigger a rebuild plus regression test run and open a PR against affected workloads automatically.

See how HarborGuard automates this

Fix available

Affected packages

The Browser Company of New York` / Arc Search
Fixed in 0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

References

hackerone.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available