As https://support.google.com/faqs/answer/9084685 mentioned, "WebViews that enable JavaScript and load data read from untrusted Intents can be tricked by malicious apps into executing JavaScript code in an unsafe context. "
Does this mean that setJavaScriptEnabled(false) can fix the Cross App Scripting Vulnerability problem?
On
The problem does not get solved by disabling javascript. Eg what happens if you insert html? might deface your app or site.
The best thing to do is validate ALL data as malicious until validated otherwise...
I am not a mobile dev really but I am sure you can add some way of authenticating the sources you deal with... Javascript Web Tokens are one way to handle this type of authentication. Perhaps someone with more android dev experience can correct me?
well, cross scripting won't work when you disable scripting (js) at all... look at points in Option 2 under link: all are related to JS and somehow limiting its usage. when you disable JS at all then there is nothing to limiting - scripting just doesn't work (also malicious)
note that there is a pleny of methods for breaking your app, with
WebViewthere is potentially twice much...