yarn-audit-known-issues

{"type":"auditAdvisory","data":{"resolution":{"id":1560,"path":"@celo/mobile>react-native-webview","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"10.8.3","paths":["@celo/mobile>react-native-webview"]}],"id":1560,"created":"2020-09-25T17:05:34.518Z","updated":"2020-09-25T17:05:34.518Z","deleted":null,"title":"Universal XSS in Android WebView","found_by":{"link":"","name":"Alesandro Ortiz","email":""},"reported_by":{"link":"","name":"Alesandro Ortiz","email":""},"module_name":"react-native-webview","cves":["CVE-2020-6506"],"vulnerable_versions":">= 0.0.0","patched_versions":"<0.0.0","overview":"A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a react-native-webview that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106.","recommendation":"Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time.","references":"- https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/","access":"public","severity":"high","cwe":"CWE-79","metadata":{"module_type":"","exploitability":4,"affected_components":""},"url":"https://npmjs.com/advisories/1560"}}}