Arc has a feature called Boosts that allows you to customize any website with custom CSS and Javascript. Because running arbitrary Javascript on websites poses potential security concerns, we've chosen not to make boosts with custom Javascript shareable among all members, but still sync them to our server so your own boosts are available across devices.
We use Firebase as the backend for certain Arc features (more on that below) and use it to store Boosts for sharing and syncing between devices. Unfortunately, our Firebase ACLs (Access Control Lists, the way Firebase secures endpoints) were misconfigured, allowing users to make Firebase requests to change the CreatorID of a Boost after it was created. This allowed any Boost to be assigned to any user (assuming you had their user ID) and thus activate it for them, resulting in custom CSS or JS being executed on the site where the Boost was active.