gabides opened a new issue, #1048: URL: https://github.com/apache/cordova-plugin-inappbrowser/issues/1048
# Bug Report ## Problem ### What is expected to happen? App should be reviewed by play store with no warning. This is quite urgent as the store is requiring the issue to be fixed by May 01 2024 ### What does actually happen? Apps uploaded to the play store are receiving he following warning: ``` Hello Google Play Developer, We reviewed XYZ APP, with package name com.xyz.app, and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user’s device, and may be considered to be in violation of our Device and Network Abuse policy. Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK. Vulnerability JavaScript Interface Injection Your app(s) are using a WebView that is vulnerable to JavaScript interface injection. To address this issue, follow the steps in this Google Help Center article. org.apache.cordova.inappbrowser.VideoEnabledWebView.addJavascriptInterface APK Version(s) 123456789 Deadline to fix May 01, 2024 To confirm you’ve upgraded correctly, submit the updated version of your app to the Play Console and check back after five hours. We’ll show a warning message if the app hasn’t been updated correctly. While these vulnerabilities may not affect every app, it’s best to stay up to date on all security patches. If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.” For clarification on steps you need to take to resolve this issue, you can contact our developer support team. Best, The Google Play Team ``` ## Information <!-- Include all relevant information that might help understand and reproduce the problem --> `addJavascriptInterface` is called with a object here: https://github.com/apache/cordova-plugin-inappbrowser/blob/6.0.x/src/android/InAppBrowser.java#L992 play store advise against doing this: https://support.google.com/faqs/answer/9095419?hl=en-GB ### Environment, Platform, Device Android ### Command or Code <!-- What command or code is needed to reproduce the problem? --> build a capacitor app with plugin `cordova-plugin-inappbrowser` v5 or v6 and try to submit it on the play store ### Version information cordova-plugin-inappbrowser v6 ## Checklist <!-- Please check the boxes by putting an x in the [ ] like so: [x] --> - [x] I searched for existing GitHub issues - [x] I updated all Cordova tooling to most recent version - [x] I included all the necessary information above -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org For additional commands, e-mail: issues-h...@cordova.apache.org
