Android applications created using Apache Cordova that use a remote server contain a vulnerability where whitelist restrictions are not properly applied. Improperly crafted URIs could be used to circumvent the whitelist, allowing for the execution of non-whitelisted Javascript. Versions 3.7.2 and below are affected.
468458d33746c0862b6ee47045cc0b4a5cc12550b39e5ec7f6aa2a3a16cc6bd8
Apache Cordova Android versions 3.6.4 and below use a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios.
c28802b86c45a140f404d504fd86bad54b63bcda4837aba120ab9c1831ac675a