fix(deps): update dependency react-native-webview to v11 [security] #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-react-native-webview-vulnerability

Contributor

renovate bot commented May 28, 2023 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
react-native-webview	`^7.4.2` -> `^11.0.0`

GitHub Vulnerability Alerts

CVE-2020-6506

A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a react-native-webview that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106.

Pending mitigation

Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time.

References

https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/

Release Notes

react-native-webview/react-native-webview (react-native-webview)

`v11.0.0`

Features

android: Introduce setSupportMultipleWindows to mitigate CVE-2020-6506 (#1747 by @mrcoinbase and @kelset -- THANK YOU!) (194c6a2)

BREAKING CHANGES

android: This release introduces the setSupportMultipleWindows prop for Android. This sets the underlying Android WebView setting setSupportMultipleWindows. This prop defaults to true (previously false), and serves to mitigate the security advisory CVE-2020-6506.

The primary way this new behavior changes existing React Native WebView implementations on Android is that links that open in new tabs/windows (such as <a target="_blank">) will now prompt to open in the system browser, rather than re-using the current WebView.

If this behavior is not desirable, you can set this new prop to false, but be aware that this exposes your app to the security vulnerability listed above. Make sure you have read and understand the whole advisory and relevant links.

iOS & Windows are unaffected.

<WebView
  // ...
  setSupportMultipleWindows={true} // default: true
/>

Thanks to @mrcoinbase, @kelset, and @Titozzz for their work on this.

`v10.10.2`

Bug Fixes

android: Unset mWebChromeClient on WebViewManager rather than WebView (#1720) (c95c0ea)

`v10.10.1`

Bug Fixes

windows: Resolve Missing Deploy Target (#1716 by @chiaramooney) (8bd0b41)

`v10.10.0`

Features

windows: JS-WebView messaging bridge & multiple WebViews fixes (#1617) (b930e25)

`v10.9.3`

Bug Fixes

android: Update SSL error handling (#1466) (ef48d35)

`v10.9.2`

Bug Fixes

macOS: Don't include iOS pull-to-refresh control (#1636) (dbf4659)
podspec: Lowered deployment target for MacOS to 10.13 (#1673) (f204195)

`v10.9.1`

Bug Fixes

ios: Xcode 12 compatibility (#1643) (08b7099)

`v10.9.0`

Features

iOS: Add prop autoManageStatusBarEnabled (#914) (22a60fd)

`v10.8.3`

Bug Fixes

types: Update Typescript definition file (#1597) (9dcd108)

`v10.8.2`

Bug Fixes

deps: Update package.json (#1583) (8dd9969)

`v10.8.1`

Bug Fixes

iOS: changed the way the top view controller is obtained. (#1592) (2cb2113)
ts: Convert ContentInsetAdjustmentBehavior from an enum back to a string union type (#1536) (a48c981)

`v10.8.0`

Features

android: Add androidLayerType as prop (#1588) (9ffca8f)

`v10.7.0`

Features

iOS: Add the pull to refresh (#1265) (a02d88f)

`v10.6.0`

Features

events: Add isTopFrame to shouldStartLoadForRequest (#1537) (6a9116f)

`v10.5.0`

Features

ios: Add iOS contentMode property (#1538 by @TheAlmightyBob) (8b69452)

`v10.4.2`

Bug Fixes

incognito: Ensures that incognito doesn't clear cookies when not enabled (#1447 by @jasonkellydk) (63c584c)

`v10.4.1`

Bug Fixes

iOS: file picker crash (#1567) (05c1d8f)

`v10.4.0`

Features

android: WebView crash handling (#1480) (8a8b7ce)

`v10.3.3`

Bug Fixes

types: Add missing applicationNameForUserAgent type in WebViewSharedProps (#1542) (91295e5)

`v10.3.2`

Bug Fixes

android sdk 28: build issue (#1469) (5f823bb)

`v10.3.1`

Bug Fixes

android: Add SSL error handling for Android WebView (#1450 by @thephpjedi) (1bd5961), closes #259

`v10.3.0`

Features

android: Add support for injectedJavaScriptBeforeContentLoaded on Android (#1099 by @SRandazzo and @ @shirakaba) (ac4e05e)

`v10.2.3`

Bug Fixes

windows: Add postMessage for Windows WebView (#1263 by @kaiguo) (e402e73)

`v10.2.2`

Bug Fixes

android: duplicate setWebChromeClient() overwrite (#1417) (2f8c4c5)

`v10.2.1`

Bug Fixes

android: Fixes black screen on back button press (#1298 by @michan85) (0317a4b)
android: Improve onLoadProgress consistency (#1373 by @hojason117) (b97d16c)

`v10.2.0`

Bug Fixes

android: Updated permissions for Android Q and above (#1384 by @Karthz) (03dbcb8)

Features

webview: Allow javascript to open windows automatically (#1409 by @trcoffman) (91df544)

`v10.1.1`

Bug Fixes

android: Broken build due to conditional import of kotlin (#1412) (7ab2afb)

`v10.1.0`

NOTE: use v10.1.1 as this version has an issue in Android

Bug Fixes

android: Fix several Android file upload issues (#1302 by @hojason117) (89886c8)

Features

compatibility: Support React Native 0.62 (#1364 by @jussikinnula and @kaiguo) (228f10d)

`v10.0.0`

Bug Fixes

android: add missing null check for fileTypes (#1368 by @bengy) (4f0f0af)
gradle: Load Android Gradle Plugin conditionally (#1230 by @SaeedZhiany) (2639d52)
iOS: Trigger _onContentProcessDidTerminate when removing webview from superview (#1378 by @pmusaraj) (9240536)
windows: Fix windows local asset path (#1335 by @kaiguo) (20a3f90)
windows: Fixes ScriptNotify and InvokeScript (#1354 by @benhamlin) (81e0360)

BREAKING CHANGES

gradle: The Android Gradle plugin is only required when opening the project stand-alone, not when it is included as a dependency. By doing this, the project opens correctly in Android Studio, and it can also be consumed as a native module dependency from an application project without affecting the app project (avoiding unnecessary downloads/conflicts/etc).

Also moved getExtOrDefault to buildScript block to able to use everywhere in the file

This change shouldn't break any apps, but we are marking it as a breaking change in case there are some use cases we've missed.

[skip ci]

`v9.4.0`

Features

iOS: Add onFileDownload callback (#1214) (a6010d9)

`v9.3.0`

Features

macOS: Make podspec compatible with macOS (#1328) (2d9b080)

`v9.2.2`

Bug Fixes

Android: Resolve crypto error with uuid usage (#1334) (438e292)

`v9.2.1`

Bug Fixes

iOS: Adds missing silent hardware declaration to header file (#1319) (2b4d752), closes #1140

`v9.2.0`

Features

iOS: Add Hardware Silence (#1218) (d4ab332), closes #1140

`v9.1.4`

Bug Fixes

Android: Workaround for chromium bugs 1023678 and 1050635. (#1221) (5d88af4)

`v9.1.3`

Bug Fixes

Windows: Move rnpm-plugin-windows to devDependencies. (#1266) (d16746c)

`v9.1.2`

Bug Fixes

Android: Ensure each mounted WebView binds their personal onMessage handler (#1301) (04f9fb2)

`v9.1.1`

Bug Fixes

iOS: injectedJavaScriptBeforeContentLoaded now runs when messaging is not enabled (#1286) (571fb8d)

`v9.1.0`

Features

Android: Implement direct communication between Android code and JS (#1203) (c88e380)

`v9.0.2`

Bug Fixes

types: Remove readonly definition in WebViewTypes.ts (#1272) (3c06d78)

`v9.0.1`

Bug Fixes

deps: Update lock file (#1257) (9732d65)

`v9.0.0`

Features

iOS: WKUserScripts (e.g. injectedJavaScript) can now update upon props change; and can be configured to inject into all frames. (#1119) (9cb2f6e), closes /github.com/react-native-community/react-native-webview/pull/1119#issuecomment-574919464

BREAKING CHANGES

iOS: • Props updates to injectedJavaScript are no longer immutable.

`v8.2.1`

Bug Fixes

deps: Update React Native Windows version to ^0.61.0-beta.58 (#1256) (91064ab)

`v8.2.0`

Features

Windows: Windows support! (#1220) (ffee0d4)

`v8.1.2`

Bug Fixes

Android: Don't log the cookie when downloading file. (#1224) (2470245)

`v8.1.1`

Bug Fixes

Android: Don't show camera options for a file upload when they can not be used (#1210) (4093682)

`v8.1.0`

Features

macOS: macOS Support (#1164) (1e57231)

`v8.0.6`

Bug Fixes

Android: Revert "Redirected URLs now redirect correctly. (#991)" (#1177) (344aab5)

`v8.0.5`

Bug Fixes

Android: Redirected URLs now redirect correctly. (#991) (acf1ad7)

`v8.0.4`

Bug Fixes

iOS: Meta method 'UIScrollViewContentInsetAdjustmentBehavior:' conflict warning (e6edc6d), closes /github.com/facebook/react-native/blob/master/React/Views/ScrollView/RCTScrollViewManager.m#L40

`v8.0.3`

Bug Fixes

whitelisted origins: Prevent handling of un-whitelisted URLs (0442126)

`v8.0.2`

Bug Fixes

iOS: WKWebView RetainCycle (#1096) (4f4644f)

`v8.0.1`

Bug Fixes

iOS: Ignore WebKitDomainError 101 (#961) (adb5608)

`v8.0.0`

Features

ios: Generate history API events on iOS (#1082) (3615296)

BREAKING CHANGES

ios: if you use onNavigationStateChange on iOS it will now trigger on # changes to the url.
Hook the window.history API on iOS to generate events

The underlying WKWebView doesn't seem to generate any events in response to the window.history API - none of the WKNavigationDelegate methods fire.

Given this limitation, the only way to know when the location changes via this API is to inject Javascript into the page and have it notify the native code directly when any of these functions are called.

The setTimeout call gives up the current tick, allowing the location to change before firing the event.

Remove the outdated section about hash changes

Now that this bug is fixed, the workaround is no longer required.

`v7.6.0`

Bug Fixes

ios: Make allowFileAccessFromFileURLs work in iOS. (#1061) (88b6498)

Features

iOS: new prop injectedJavaScriptBeforeContentLoaded (#1038) (604495e)

`v7.5.2`

Bug Fixes

android: Added fallback poster image to prevent crashes (#1036) (d8acd90)
build: Android build errors when using Gradle 6.0 (#1037) (5b0c634)

`v7.5.1`

Bug Fixes

android: Fix ClassCastException when doing native things(#987) (7e68da4)

`v7.5.0`

Features

android: add clearHistory, clearCache and clearFormData (#450) (4a4f4a2)

`v7.4.4`

Bug Fixes

android: crash problem while loading local html resource (#1010) (05c286f)

`v7.4.3`

Bug Fixes

android: possible NullPointerException (#965) (fab77dc)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          fix(deps): update dependency react-native-webview to v11 [security]

819e89d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet