Apache Cordova Plugin InAppBrowser iOS Unvalidated Callback ID Vulnerability

A vulnerability exists in the iOS version of the Apache Cordova InAppBrowser plugin, specifically in versions 3.1.0 prior to 6.0.0. The issue arises because the plugin does not validate the format of the 'id' field in messages from the WKScriptMessage body before passing it to the command delegate. This lack of validation allows any web content loaded in the InAppBrowser to manipulate Cordova callbacks by sending messages with guessable or enumerated callback IDs. An attacker could exploit this vulnerability by targeting specific plugins and callback IDs used by the host application. Knowledge of common Cordova plugin configurations could enable the creation of reusable payloads for widely-used plugins.

Impact

Exploitation of this vulnerability allows an unauthenticated remote attacker to dispatch Cordova plugin callbacks from content controlled by the attacker, potentially spoofing plugin results across trust boundaries. For instance, an attacker could inject false approvals or data responses from plugins such as Camera, Contacts, File, or Geolocation.

Remediation

Users are advised to upgrade to Apache Cordova InAppBrowser version 6.0.1, which addresses this vulnerability.