FUNFACTOR1/pocket-android-xss-0click-cve

# XSS 0-Click / 0-Day Vulnerability Report ## Cross-Site Scripting (0-Click) Leading to JavaScript Bridge Abuse in Pocket Android ### (CVE-YYYY-NNNN — reservation requested) **Author:** Ing. Zampier Zago **Date:** 2026-05-26 **Classification:** Security Vulnerability Analysis — CVE Submission **Report version:** 3.0 (Final — all dates verified against original email evidence) ## 1. Executive Summary A DOM-based Cross-Site Scripting (XSS) vulnerability has been confirmed in Pocket Android version 8.33.0.0 (package `com.ideashower.readitlater.pro`), the final release by Mozilla / Read It Later, Inc. before service termination. The vulnerability allows an attacker to inject and execute arbitrary JavaScript in the application's WebView without any user interaction beyond a single "Save to Pocket" action — constituting a **0-click exploit** post-delivery. The root cause is the unsanitized injection of externally-sourced HTML content directly into the DOM via jQuery's `.html()` method (`$(document.body).html(content)`), in the asset-bundled file `assets/html/j/articleview-mobile.js` (lines 95–99). Content is fetched and rendered automatically in the background by `com.pocket.sdk.offline.DownloadingService` with no user interaction required. The application also exposes a native Java-to-JavaScript bridge (`PocketAndroidArticleInterface`), registered via `addJavascriptInterface` and confirmed in `classes2.dex`, callable by JavaScript executing within the WebView. **Vendor disclosure record:** The XSS vulnerability was formally reported to Mozilla Security on **2024-07-10** with CWE-79 classification and technical detail. Mozilla acknowledged receipt on **2024-07-11** and explicitly declined to remediate, declaring Pocket out of scope. Mozilla subsequently released **v8.33.0.0 as the final version before service sunset in 2025** — with the vulnerable code entirely unchanged. Forensic analysis of v8.33.0.0 (2026-02-06) confirms the identical vulnerable call at lines 95–99 of `articleview-mobile.js`. No patch is available. The product is abandoned. All installed instances remain permanently vulnerable. | Field | Value | |---|---| | Vulnerability type | DOM-Based XSS (0-click) + JavaScript Bridge Abuse | | CWE | CWE-79, CWE-116 | | Exploit status | 0-click, 0-day — no patch available; product End-of-Life | | Vendor response | 2024-07-11 — "Pocket is out of scope" (Frida, Mozilla Security Team) | | Affected product | Pocket Android v8.33.0.0 (final release) | | Package ID | `com.ideashower.readitlater.pro` | | Vendor | Mozilla Corporation / Read It Later, Inc. | | CVSS v4.0 Score | 9.2 — `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` | | Severity | CRITICAL | | First reported to vendor | 2021-04-19 (paywall bypass) | | XSS formally reported to Mozilla Security | 2024-07-10 | | Final APK released with vulnerability intact | Final Release (2025) — v8.33.0.0 | | Post-sunset video evidence | 2026-01-02 | | Forensic APK analysis | 2026-02-06 | | Technical re-verification | 2026-05-22 | | Disclosure timeline | 2021–2026 (5 years) | ## 2. Affected Product - **Product name:** Pocket — Save. Read. Grow. (Android) - **Package name:** `com.ideashower.readitlater.pro` - **Build version:** 8.33.0.0 — **the final release before service sunset** - **APK analyzed:** `com.ideashower.readitlater.pro_8.33.0.0.apk` - **Vendor:** Read It Later, Inc. / Mozilla Corporation - **Google Play URL:** https://play.google.com/store/apps/details?id=com.ideashower.readitlater.pro - **Service status:** TERMINATED (2025). The application remains installed on millions of devices with no forced uninstall, kill-switch, or security update deployed. Video evidence (2026-01-02) confirms full operation — including paywall bypass and background services — months after official shutdown. ## 3. Vulnerability Details — Issue #1: 0-Click XSS via WebView ### 3.1 Vulnerability Classification | Field | Value | |---|---| | Type | DOM-Based Cross-Site Scripting | | CWE | CWE-79 — Improper Neutralization of Input During Web Page Generation | | Secondary CWE | CWE-116 — Improper Encoding or Escaping of Output | | Attack vector | Remote, 0-click (zero user interaction post-delivery) | | Privileges required | None | | Scope | Changed — WebView context crosses trust boundary into native Android bridge | ### 3.2 Vulnerable Component **File:** `assets/html/j/articleview-mobile.js` **Lines 95–99:** // article content was retrieved loadCallback : function(content) { // TODO : 3.0 : If file was missing, handle that correctly $(document.body).html(content); **Root cause:** Externally-sourced HTML is passed directly to jQuery 3.4.1's `.html()` method with no sanitization. jQuery 3.4.1 executes embedded `