Mobile Phone / Hand-held Device
Loss of Integrity
No Vendor Response
Apache Cordova and PhoneGap contain a flaw that is due to the URL interception ignoring iframe and XMLHttpRequest URLs. With a specially crafted script inside an iframe, a context-dependent attacker to bypass domain white listing by calling execute =cordova.require('cordova/exec'); var opts =cordova.require('cordova/plugin/ ContactFindOptions' ); and directly operating on these objects.
Currently, there are no known workarounds or vendor upgrades to correct this issue. However, the researchers who disclosed this issue have released 'NoFrak', which they claim fixes this vulnerability.
As with all third-party solutions, ensure they come from a reliable source and are permitted under your company's security policy.