Chrome for Android's Same-Origin Policy for local files (file: URI) can be bypassed by using symbolic links. It results in theft of Chrome's private files by malicious Android applications. Version 18.0.1025308 was released to address this vulnerability.
31b4f82055384f1f95a84986da35e99a7077219bca1316b3a7026760d9c6556a