CVE-2014-1881

Name of the Vulnerable Software and Affected Versions Apache Cordova versions 3.3.0 and earlier Adobe PhoneGap versions 2.9.0 and earlier

Description The issue allows remote attackers to bypass intended device-resource restrictions of an event-based bridge. This is achieved via a crafted library clone that leverages IFRAME script execution and waits a certain amount of time for an OnJsPrompt handler return value as an alternative to correct synchronization.

Recommendations For Apache Cordova versions 3.3.0 and earlier, consider restricting access to the event-based bridge until a fix is available. For Adobe PhoneGap versions 2.9.0 and earlier, avoid using the OnJsPrompt handler in the affected library clone until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.