The folks at Rapid 7 (whom I know well) have written up and tested a recently released bug in the stock browser. This seems to impact pre 4.4 Android phones. In simple turns, the bad guy gets you to go to his website he can see all the other tabs on your browser, and all your session cookies to those websites. So he can snag your authentication to another website.
https://community.rapid7.com/commun...droid-bug-is-a-privacy-disaster-cve-2014-6041
https://community.rapid7.com/commun...droid-bug-is-a-privacy-disaster-cve-2014-6041
