On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasn't quite right, so we've amended it.
You can read the amended blog post here.
In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs, but will still open links like
geo: in their default applications. (It is, after all, a useful feature, and there are many published applications which rely on that behaviour.) If you want to restrict that even further, you can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked completely.
As a very simple example of this, I have published a sample plugin which blocks all external applications from loading. To use it, install it like
cordova plugin add net.iclelland.external-app-block
or feel free to clone it from GitHub and tweak it to suit your needs.
We're hoping to have a more flexible solution built in to Cordova with the next release, but in the meantime, the plugin system is powerful enough to allow you to control this for your apps yourself.