Blog RSS Feed

Security Advisory CVE-2020-6506
By: Jesse MacFadyen
29 Sep 2020

Formally Disclosed Advisory:

This vulnerability is a universal cross-site scripting (UXSS) vulnerability in Android WebView which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. Apache Cordova apps built for Android devices which allow the loading of http content from domains they do not control could be affected. Theoretically this would be either in an iframe, or by use of the InAppBrowser plugin (cordova-plugin-inappbrowser).

If your app loads a local page (e.g. index.html within Cordova app loads iframe from, no user interaction is required for this exploit.

This vulnerability has been fixed in Android WebView as of version 83.0.4103.106. Users must update their Android WebView from the Google Play Store themselves.


There are precautions you can take to avoid this vulnerability.

  1. Use a restrictive an allow-list and content security policy (CSP) as possible.
  2. Generally, always load local code into your application's main webview, and use InAppBrowser to display anything remote.
  3. Do not use iframes, and if you must, never do so in your application's main webview. Using the sandbox attribute will mitigate this vulnerability ( preferably with an empty value. ) Avoid using these sandbox attributes together allow-popups allow-top-navigation allow-scripts because they do NOT mitigate this vulnerability.

     <iframe sandbox='' src='http://untrusted-source' />

Most of these precautions have always been gentle recommendations of Apache Cordova, but were not reflected in the default values which were typically left open. The Apache Cordova committers are investigating preventing this vulnerability at the framework level, as well as tightening the default values to prevent inadvertant exposure. In the meantime, if you suspect your app is vulnerable, please follow the precautions above.

Credit ( and thanks ) go to Alesandro Ortiz for discovering this vulnerability and bringing it to our attention.

Additional References

edit: fixed links that weren't linking -JM