Worklight - Apache Cordova vulnerabilities in your Google Play app

Question

Recently We got a mail from google play store :

"This is a notification that your application, is built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user log in credentials. You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible."

Our Application is built on Worklight 5.0.6 which has cordova version 2.3. But the issue is that latest version of worklight (6.2) provides cordova version 3.4. So how can we upgrade the cordova version to 3.5.1?

What should we do to tackle this issue? Any help would be really appreciated.

Answer 1

For more information, see this blog post: Google Play Store incorrectly flagging Worklight apps

---

These security vulnerabilities have already been addressed in Worklight.

Please see the following blog post, also containing instructions: Action Required: Cordova-Android Security Update

Newer iFixes of all Worklight releases contain security fixes for:

• CVE-2014-3500 - Cordova cross-application scripting via Android intent URLs
• CVE-2014-3501 - Cordova whitelist bypass for non-http URLs
• CVE-2014-3502 - Cordova apps can potentially leak data to other apps via android intent URLs

You need to visit IBM Fix Central and download the latest available iFix for your version of Worklight, rebuild the application and re-submit it so that users could download the updated version of your application. If the note from Google that you have mentioned does NOT refer to the above fixed issues, please provide a link to a document or the relevant bug numbers from Cordova.