jcesarmobile closed CB-12202.
    Resolution: Duplicate
      Assignee: jcesarmobile

It's a duplicate of CB-11719

> Security: Exposed Dangerous Method or Function
> ----------------------------------------------
>                 Key: CB-12202
>                 URL: https://issues.apache.org/jira/browse/CB-12202
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>            Reporter: Daulet Urazalinov
>            Assignee: jcesarmobile
>              Labels: security
> We use VeraCode to analyze level of security of our applications. When we 
> submit our application that uses the latest Cordova version, we get "Exposed 
> Dangerous Method or Function" 
> (http://cwe.mitre.org/data/definitions/749.html) in this file: 
> org/apache/cordova/engine/SystemWebViewEngine.java line 262.
> We would like to know your opinion about this issue and suggested remediation.
> Here is the detailed information we got from VeraCode:
> Attack Vector: android.webkit.WebView.addJavascriptInterface
> Description: Use of the android.webkit.WebView.addJavascriptInterface() 
> method before Android SDK revision 17 (Android 4.2) is dangerous, as this 
> allows remote attackers to execute arbitrary methods of Java objects (using 
> the inherited .getClass()) within JavaScript code that is loaded into the 
> WebView.
> Remediation: The ideal solution is to remove the use of a JavaScript-Java 
> bridge in this application. Another possible solution is to develop a custom 
> bridge via the shouldOverrideUrlLoading() method; however, this option can be 
> risky and consideration must be given to what functionality is exposed and to 
> the prevention of injection attacks. If removal or development of a custom 
> solution are not options, then one should at least verify the application is 
> not loading JavaScript from an untrusted source.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Reply via email to