Security Advisory CVE-2020-6506
Vulnerability detail: https://nvd.nist.gov/vuln/detail/CVE-2020-6506
A universal cross-site scripting security vulnerability was discovered in Android WebView that allows cross-origin iframes or links to execute arbitrary JavaScript in the top-level document. For an attack to be successful, a user would need to navigate to a website or iframe containing malicious code within WebView. The vulnerability has been fixed in Android WebView as of version 83.0.4103.106, however users must update their Android WebView from the Google Play Store.
For users of the outdated Android WebView, Capacitor apps loading third party content in iframes or directly in the web view are only vulnerable if precautions are not taken. We are currently exploring a solution to help mitigate the vulnerability. We recommend taking the following precautions if your application may be vulnerable:
Capacitor configuration (capacitor.config.json)
The best line of defense is to only allow first-party trusted content in the web view.
- Do not modify the server.url to a third party or untrusted website.
- Do not add untrusted websites to server.allowNavigation.
It is recommended that apps behaving as a web browser use the Browser plugin.
HTML iframes
Care should be taken when using iframes in your application. If you need to include an iframe in your page, make sure the content is from a trusted source.
The vulnerability can be mitigated by using the sandbox attribute. Using an empty value is the most restrictive configuration that will prevent an attack.
<iframe sandbox="" src="https://example.com/risky.html"></iframe>Caution: tokens can be added to the sandbox attribute to lift certain restrictions, however some configurations will cause an app to remain vulnerable, such as
“allow-popups allow-top-navigation allow-scripts”.
Further Information
More information about the vulnerability can be found at https://bugs.chromium.org/p/chromium/issues/detail?id=1083819 and https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/. Many thanks to Alesandro Ortiz for bringing this to our attention.