Context Dependent,
Mobile Phone / Hand-held Device
Input Manipulation
Loss of Integrity
Third-Party Solution
Exploit Unknown
No Vendor Response
-
漏洞描述
Apache Cordova and PhoneGap contain a flaw that is triggered when handling a malformed script running in an iframe, which can allow the script to choose any vulnerable bridge mechanisms via addJavascriptInterface or loadUrl at runtime. This may allow a context-dependent attacker to bypass the domain whitelist.
-
时间线
2014-01-24
Unknow
Unknow
Unknow
-
解决方案
Currently, there are no known workarounds or vendor upgrades to correct this issue. However, the researchers who disclosed this issue have released 'NoFrak', which they claim fixes this vulnerability.
As with all third-party solutions, ensure they come from a reliable source and are permitted under your company's security policy.