Vulnerabilities and Remediation Deadlines
CVE-2015-5256; applies to pre-4.1.1 versions of Apache Cordova. These versions are vulnerable to improper application of whitelist restrictions on Android. This results in a vulnerability where whitelist restrictions are not properly applied. Improperly crafted URIs could be used to circumvent the whitelist, allowing for the execution of non-whitelisted Javascript. Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova.
CVE-2015-1835; applies to pre-4.0.2 versions of Apache Cordova. These versions are vulnerable to remote exploit of secondary configuration variables in Apache Cordova on Android. Affected apps that don't have explicit values set in Config.xml can have undefined configuration variables set by Intent. This can cause unwanted dialogs appearing in applications and changes in the application behaviour that can include the app force-closing. Beginning May 9, 2016, Google Play will block publishing of any new apps or updates that use pre-4.1.1 versions of Apache Cordova.
CVE-2014-3502; applies to pre-3.5.1 versions of Apache Cordova. Vulnerabilities include a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, susceptible apps could be remotely exploited to steal sensitive information, such as user login credentials. The remediation deadline for this vulnerability has passed. Google Play will block publishing of any new apps or updates containing this vulnerability.