Samsung has patched a security flaw relating to the Galaxy Store app that attackers could exploit to execute remote code on affected smartphones, The Hacker News reports.

The vulnerability involves a cross-site scripting (XSS) flaw related to deep link handling. Only Galaxy Store version 4.5.32.4 is affected.

XSS attacks can let attackers introduce and execute malicious JavaScript code when a user visits a website through a browser or another application.

SSD Secure Disclosure released an advisory on 26 October 2022, explaining how the Galaxy Store’s failure to check deep links can result in an attack.

“Here, by not checking the deep link securely, when a user accesses a link from a website containing the deep link, the attacker can execute JS code in the webview context of the Galaxy Store application,” it said.

The Galaxy Store vulnerability relates to how deep links are configured for Samsung’s Marketing and Content Service (MCS).

In a scenario where arbitrary code is injected into the MCS website, malicious actors could execute the code to download and install apps laced with malware when a user visits the link.

“To be able to successfully exploit the victim’s server, it is necessary to have HTTPS and CORS bypass of Chrome,” SSD Secure Disclosure added.