This vulnerability occurs because the MetaMask browser on Android fails to enforce CSP headers, leaving it open to potential cross-site scripting (XSS) attacks. Attackers can potentially inject malicious scripts into web pages viewed in the MetaMask browser, increasing the risk of data exposure and security breaches.
https://hackerone.com/reports/1941767