A cross-site scripting vulnerability exists in versions prior to 3.12.129.18 of Naver Whale Browser, a web browser from Naver Korea that supports user-defined interfaces, due to a lack of data validation filtering of user-supplied and output data. An attacker could exploit this to allow extension developers to inject arbitrary JavaScript into extension store pages via devtools.inspectedWindow.