Formally Disclosed Advisory:
This vulnerability is a universal cross-site scripting (UXSS) vulnerability in Android WebView which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. Apache Cordova apps built for Android devices which allow the loading of http content from domains they do not control could be affected. Theoretically this would be either in an iframe, or by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).
If your app loads a local page (e.g. index.html within Cordova app loads iframe from malicious-example.com), no user interaction is required for this exploit.
This vulnerability has been fixed in Android WebView as of version 83.0.4103.106. Users must update their Android WebView from the Google Play Store themselves.
Mitigation
There are precautions you can take to avoid this vulnerability.
- Use a restrictive an allow-list and content security policy (CSP) as possible.
- https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-whitelist/
- Ensure CSPs do not include 'unsafe-line' for script-src/default-src unless necessary.
- Generally, always load local code into your application's main webview, and use InAppBrowser to display anything remote.
- Always load untrusted content into an external browser (i.e. call InAppBrowser with
_system
) - https://cordova.apache.org/docs/en/latest/reference/cordova-plugin-inappbrowser/
- Always load untrusted content into an external browser (i.e. call InAppBrowser with
-
Do not use iframes, and if you must, never do so in your application's main webview. Using the
sandbox
attribute will mitigate this vulnerability ( preferably with an empty value. ) Avoid using these sandbox attributes togetherallow-popups allow-top-navigation allow-scripts
because they do NOT mitigate this vulnerability.<iframe sandbox='' src='http://untrusted-source' />
Most of these precautions have always been gentle recommendations of Apache Cordova, but were not reflected in the default values which were typically left open. The Apache Cordova committers are investigating preventing this vulnerability at the framework level, as well as tightening the default values to prevent inadvertant exposure. In the meantime, if you suspect your app is vulnerable, please follow the precautions above.
Credit ( and thanks ) go to Alesandro Ortiz for discovering this vulnerability and bringing it to our attention.
Additional References
- https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/
- https://nvd.nist.gov/vuln/detail/CVE-2020-6506
edit: fixed links that weren't linking -JM