CVE-2024-52928: 
Homebrew vulnerability analysis and mitigation

Arc browser versions before 1.26.1 on Windows contained a site settings bypass vulnerability (CVE-2024-52928) that was discovered on November 4, 2024. The vulnerability allowed websites with previously granted permissions to add new permissions when users clicked anywhere on the website, effectively bypassing the explicit permission grant requirement (Vendor Advisory).

The vulnerability stemmed from improper handling of follow-up permissions requests for websites that had previously requested permissions on Arc for Windows. The issue was classified as an Improper Access Control (CWE-284) vulnerability. According to the National Vulnerability Database, it received a CVSS v3.1 base score of 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, while MITRE assessed it at 9.6 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L (NVD).

The vulnerability allowed websites that had previously been granted permissions to automatically obtain additional permissions without explicit user consent, simply when users clicked anywhere on the webpage. This bypass of the permission system could potentially lead to unauthorized access to browser features and user data (Vendor Advisory).

The vulnerability was patched in Arc version 1.26.1 for Windows, released on November 4, 2024. Users are advised to update to version 1.26.1 or later to protect against this vulnerability. The fix addresses how Windows handles additional permissions requests for sites that previously had permissions granted by the user (Vendor Advisory).

The vulnerability was responsibly disclosed by security researcher Bharat(mrnoob), who was credited by The Browser Company for reporting the finding (Vendor Advisory).