Reputation: 319
react-native-webview high vulnerability UXSS
I started a new ReactNative app and tried to use webview for playing Youtube Video It was ok the last time i used it but this time when i install the package i get a high vulnerability message : " High Universal XSS in Android WebView" More info : https://npmjs.com/advisories/1560
My questions :
- can we use it despite this message or it will be rejected by the Play Store ?
- otherwise do you know how to fix it ? Or
- do you know another way to do it (without using react-native-youtube)
Upvotes: 3
Views: 1202
Answers (1)
Reputation: 3195
It is good that you are security aware!
Can we use it?
I don't think Google will reject your app. In other words, we launched a few apps using react-native-webview and did not experience any problem when launching on Google Play.
This vulnerability affects React Native apps which use a react-native-webview that allows navigation to arbitrary URLs. I don't think you use the webview that way.
So, yes, I think you can use it.
How to fix it?
As found in the advisory https://npmjs.com/advisories/1560:
Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time.
So you have to be patient and wait for a fix. The way you use it is save.
Upvotes: 1
Related Questions
- react native Webview Process Terminated
- react-native-webview Typescript error: 'WebView' cannot be used as a JSX component
- Webview causing react-native app to crash on navigation
- What is the right way to use WebView in React Native
- Invariant Violation: WebView has been removed from React Native
- Error : WebView has been removed from react native
- Invariant violation react-native-webview
- react-native-webview giving RNCWebview error
- react native webview limitations
- Facing issues with react-native-webview