Kindle Touch 5.1.0 contains a scriptable browser plugin which can be invoked by accessing a malicious web page.
It has been reported that Kindle Touch 5.1.0 has introduced a NPAPI plugin
/usr/lib/libkindleplugin.so (symlinked to
/usrl/lib/browser/plugins/libkindleplugin.so) that can be used by the system-wide WebKit engine.
libkindlepluginis scriptable by the browser and can be invoked to access its "exported" native methods when a user accesses a web page containing embedded scripts.
The user eureka has reported on the MobileRead forums that they have found multiple "exported" properties and methods associated with
property test (it just returns number 500)
By convincing a user to access a specially crafted web page, a remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.