darktears
commented
7 years ago Hi VitaliDzemidovich,
Thanks for your report.
As announced here https://crosswalk-project.org/blog/crosswalk-final-release.html, Intel Crosswalk team will not make additional Crosswalk releases as the team moved onto other projects. We invite the community to take over the project if it wants to. We'll be happy to merge the patches in the meantime an owner shows up to take over. We'll give the support needed to transition. If you want to provide a patch for this particular issue we'd be happy to merge it.
Thanks.
Found a critical WebView "addJavascriptInterface" vulnerability. This method can be used to allow JavaScript to control the host application. This is a powerful feature, but also presents a security risk for applications targeted to API level JELLY_BEAN(4.2) or below, because JavaScript could use reflection to access an injected object's public fields. Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application.
Reference: 1."http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object,java.lang.String) " 2.https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/ 3.http://50.56.33.56/blog/?p=314 4.http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/
Please modify the below code: Lorg/xwalk/core/internal/XWalkViewInternal;->addJavascriptInterface(Ljava/lang/Object; Ljava/lang/String;) Lorg/xwalk/core/internal/XWalkContent;->addJavascriptInterface(Ljava/lang/Object; Ljava/lang/String;)