MetaMask Browser (on Android) does not enforce Content-Security-Policy header
Posted: Tue Nov 05, 2024 6:34 am
This vulnerability occurs because the MetaMask browser on Android fails to enforce CSP headers, leaving it open to potential cross-site scripting (XSS) attacks. Attackers can potentially inject malicious scripts into web pages viewed in the MetaMask browser, increasing the risk of data exposure and security breaches.
https://hackerone.com/reports/1941767
https://hackerone.com/reports/1941767