Apache Cordova 安全漏洞

Apache Cordova security vulnerability

我最近上传了一个 android 应用程序到 Google Play,我收到了众所周知的安全漏洞警告 Apache Cordova security vulnerability。我有点困惑,因为我使用的是 Cordova CLI 6.0.0 和 Cordova Android 5.1.1。我做错了什么?

项目信息:

>cordova platform ls
Installed platforms: android 5.1.1
Available platforms: amazon-fireos, blackberry10, browser, firefoxos, webos, windows, windows8, wp8

>cordova --version
6.0.0

>cordova plugin ls
cordova-plugin-device 1.1.2-dev "Device"
cordova-plugin-dialogs 1.2.1-dev "Notification"
cordova-plugin-file 4.1.2-dev "File"
cordova-plugin-file-transfer 1.5.1-dev "File Transfer"
cordova-plugin-geolocation 2.1.1-dev "Geolocation"
cordova-plugin-globalization 1.0.3-dev "Globalization"
cordova-plugin-inappbrowser 1.3.1-dev "InAppBrowser"
cordova-plugin-network-information 1.2.1-dev "Network Information"
cordova-plugin-splashscreen 3.2.1-dev "Splashscreen"
cordova-plugin-whitelist 1.2.2-dev "Whitelist"

我已经尝试 add/remove config.xml

中的下一行
<plugin name="cordova-plugin-whitelist" spec="1" />
<access origin="*" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="tel:*" />
<allow-intent href="sms:*" />
<allow-intent href="mailto:*" />
<allow-intent href="geo:*" />
<platform name="android">
    <allow-intent href="market:*" />
</platform>

我还尝试在 index.html

中添加和删除下一行
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">

这是我从 Google 游戏团队收到的电子邮件:

Hello Google Play Developer,

We rejected XXXXXX, package ID XXXXXXX, for violating our Malicious Behavior policy. If you submitted an update, the previous version of your app is still available on Google Play.

This app uses software that contains security vulnerabilities for users.

Below is the list of vulnerabilities and the corresponding APK versions that were detected in your recent submission. Please upgrade your app(s) as soon as possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s) Apache Cordova The vulnerabilities were fixed in Apache Cordova v.3.5.1.

You can find more information and next steps in this Google Help Center article.

一个远景 - Google 没有明确提及,尽管他们正在寻找 XSS 暴露 - 但你是否可能在 [=] 中的 <meta http-equiv="Content-Security-Policy" content="default-src 中添加了 'unsafe-inline' 11=] 允许包含内联 Jscript?

正如@jcesarmobile 所说,cordova 项目中有几个 cordova.js 文件。我不仅要更新 www 文件夹中的主要 cordova.js 文件,而且我必须手动更新其他文件夹(例如 /platform/android/assets/www)中的这个文件;然后我可以在 Google Play 中上传没有安全警告的新版本。