Once the QR code has been scanned and has become active, malicious JavaScript can then simulate login portals, exfiltrate data via hidden forms and fingerprint devices for further exploitation.

The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.