Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN604
_____________________________________________________________________

DATE                : 09/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cordova Plugin InAppBrowser
                         versions prior to 6.0.1.

=====================================================================
https://lists.apache.org/thread/mp6l6y6dlxc05zo4442x9j6m974qdz3q
_____________________________________________________________________

CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova
callback IDs can be dispatched without validation from InAppBrowser
WebViews

Severity: important 

Affected versions:

- Cordova Plugin InAppBrowser (cordova-plugin-inappbrowser) 3.1.0
through 6.0.0

Description:

## Summary

The iOS implementation of `cordova-plugin-inappbrowser` passes the
`id` field from a `WKScriptMessage` body to `commandDelegate
sendPluginResult:callbackId:` with no format validation
(`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the
InAppBrowser can fire any pending Cordova callback in the host app
by posting a message whose `id` field is a guessable or enumerated
callback identifier. An attack abusing this weakness must be
tailored to the specific plugins and callback IDs the host app
uses. Though an attacker with knowledge of common Cordova plugin
configurations could craft reusable payloads targeting
widely-adopted plugins.


## Impact

An unauthenticated remote attacker who controls content displayed
in the InAppBrowser — via a URL the app opens (OAuth redirect,
marketing link, deep-link target) or a network interception — can
call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})`
to fire callbacks belonging to any other installed Cordova
plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs
follow the predictable format `<PluginName><sequential-integer>`,
making enumeration feasible. Successful exploitation allows the
attacker to spoof plugin results across trust boundaries — for
example, injecting a forged camera approval, a fabricated
contacts list, or a crafted file-read response.

This issue affects Cordova Plugin InAppBrowser: from 3.1.0
through 6.0.0.

Users are recommended to upgrade to version 6.0.1, which fixes
the issue.

This issue is being tracked as #1152 

Credit:

Niklas Merz (finder)

References:

https://cordova.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-47430
https://issues.apache.org/jira/browse/#1152

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================