Security News DuckDuckGo Browser UXSS Flaw in Auto Consent JS Bridge Enables Cross-Origin Code Execution

[Parkinsond]

Content source

https://cybersecuritynews.com/duckduckgo-browser-uxss-vulnerability/

A critical Universal Cross-Site Scripting (UXSS) vulnerability was recently discovered in the DuckDuckGo Android browser.

This flaw allowed untrusted, cross-origin iframes to execute arbitrary JavaScript in the top-level origin, tracked with a high-severity CVSS score of 8.6.

The vulnerability stems from the “AutoconsentAndroid” JavaScript bridge, a native component injected into web pages loaded by the DuckDuckGo Android application (com.duckduckgo.mobile.android).

This bridge is designed to facilitate seamless communication between the browser’s native Android code and the web page displayed.

However, it failed to implement proper security checks, leading to a severe breach of the Same-Origin Policy (SOP).

UXSS is considered a critical browser-class vulnerability because it can be exploited without user interaction.

DuckDuckGo Browser UXSS Flaw in Auto Consent JS Bridge Enables Cross-Origin Code Execution

A critical UXSS flaw in the DuckDuckGo Android browser allowed cross-origin iframes to run arbitrary JavaScript in the top-level origin.

cybersecuritynews.com

 

[oldschool]

I'd never use anything DDG, but that's just me.

 

[Parkinsond]

I'd never use anything DDG, but that's just me.

Tried it once; did not like, slow, poverty of basic features; nothing special to justify its use.

 

[LinuxFan58]

I'd never use anything DDG, but that's just me.

Why?

 

[oldschool]

Why?

Search quality. Horrible name, logo and graphics. Search page is a junk pile, but DDG bills itself as "Protection. Privacy. Peace of mind."

DDG browser: who needs another browser in the browser wars?

 

[Parkinsond]

Search quality. Horrible name, logo and graphics. Search page is a junk pile, but DDG bills itself as "Protection. Privacy. Peace of mind."

DDG browser: who needs another browser in the browser wars?

The fastest browser on earth

 

[Zero Knowledge]

DDG search is OK, and I do like their A.I. integration although models are outdated, however their browser though is pretty awful.

 

[Parkinsond]

DDG search is OK

According to the genre of searched items.

 

[Zero Knowledge]

According to the genre of searched items.

Saying that I wonder what the use case is for DDG search when you use Gmail as your main email or a Android phone. Logically is doesn't make sense to use DDG.

 

[Parkinsond]

Saying that I wonder what the use case is for DDG search when you use Gmail as your main email or a Android phone. Logically is doesn't make sense to use DDG.

DDG uses Bing engine; their results are very close.
Startpage and Ecosia use Google engine.
Yandex God knows what they are using

Bing/DDG are fine for scientific search.
Google/Startpage/Ecosia are good too, with an advantage of better general search.
Yandex has the advantage of not following Western restrictions, thus gets the best match for piracy websites

 

[oldschool]

DDG uses Bing engine; their results are very close.
Startpage and Ecosia use Google engine.
Yandex God knows what they are using

Bing/DDG are fine for scientific search.
Google/Startpage/Ecosia are good too, with an advantage of better general search.
Yandex has the advantage of not following Western restrictions, thus gets the best match for piracy websites

Brave Search beats DDG hands-down.

Saying that I wonder what the use case is for DDG search when you use Gmail as your main email or a Android phone. Logically is doesn't make sense to use DDG.

You may have a valid point. I use Brave Search in Chrome on Android and Windows. It's also clutter-free and more eye pleasing than others I've used. I use G now and then.

 

[LinuxFan58]

DDG search is OK, and I do like their A.I. integration although models are outdated, however their browser though is pretty awful.

I am using Brave and found that Leo is a lot more accurate that DDG's AI.

 

[Miravi]

It's not my favorite, but DuckDuckGo's results have likely improved alongside Bing's own noticeable progress. The search layout doesn't look too bad. They've also made it highly customizable from built-in settings. The brand is still silly.

Brave Search has proven highly usable for me. It's easy, fast, and keeps a clean layout. I usually fall back to Startpage if I want to supplement with Google results.

It's interesting to recall how far back DuckDuckGo's history reaches—it all started in 2008. DDG publicly stated that their annual revenue exceeded $100M back in 2021, 13 years after it was founded. Brave just passed $100M in annual revenue in 2025, 10 years after it was founded in 2015.

Brave operating an independent search index costs them significantly more than just paying Bing, but DDG handles ~100 million daily queries, nearly twice as many as Brave's ~53 million announced in 2025. Brave Search launched in 2021. The growth achieved by Brave is impressive.