breautek commented on issue #1064: URL: https://github.com/apache/cordova-android/issues/1064#issuecomment-687396948
Javascript that executes in an iframe can access the parent's frame javascript environment via [window.frameElement](https://developer.mozilla.org/en-US/docs/Web/API/Window/frameElement)*. > Since the secret isn’t exposed to JavaScript The secret is exposed/held in JavaScript memory. See https://github.com/apache/cordova-android/blob/565106fc1f840cb681905e6add8a44dce40dc984/cordova-js-src/exec.js#L112 Whether or not it's easily readable by code outside the cordova library is another question, but you should assume it's possible. > I’d be also curious to know how plugins can still use cordova.exec without the bridge secret. The secret is an abstraction and plugins don't need to be concerned about managing the bridge secret. They all call on an [platform-specific execute method](https://github.com/apache/cordova-android/blob/565106fc1f840cb681905e6add8a44dce40dc984/cordova-js-src/exec.js#L67) which does know the secret. So if untrusted code gains access to your cordova APIs, including plugin APIs, they'll be able to call on device APIs, so third-party code doesn't need to actually find the secret either to exploit your application. Having remote/third-party code executing native APIs is also explicitly forbidden in [Apple's app store's terms of service](https://developer.apple.com/app-store/review/guidelines/#third-party-software), and [Google Play's app store's terms of service (Section Device and Network Abuse)](https://support.google.com/googleplay/android-developer/answer/9914283?hl=en). In this case, anything third-party I believe includes all executable code that isn't bundled within the application package itself. *MDN says that the `frameElement` will be `null` if the iframe is cross-origin, however I'm not sure if it's the best idea to assume this is the case for all browsers or devices. I assume browsers that doesn't implement the CORS protocol doesn't do cross-origin checks, such as IE11 and older versions of the android webview that runs on android 4.4 - 5.0. In conclusion, **assume your app is vulnerable** if you leak your cordova environment to third-party code. Let me know if these answers your questions. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
