WebViews can be used to display web content as part of a mobile application. When JavaScript support is enabled, the WebView acts like a browser and may expose the application to web-based attacks.

Why is this an issue?

Enabling JavaScript in a WebView allows arbitrary JavaScript to run inside the mobile application’s context. JavaScript running inside a WebView can access local files, device APIs, and any native functions exposed to the web layer, amplifying the impact of a Cross-Site Scripting (XSS) attack well beyond what is possible in a regular browser. This rule flags WebView configurations that enable JavaScript support.

In Android, JavaScript support in WebView is controlled by calling setJavaScriptEnabled(true) on its WebSettings.

What is the potential impact?

If an attacker can inject or control the web content displayed in the WebView, they can execute arbitrary JavaScript in the context of the mobile application. This may allow them to exfiltrate sensitive files stored on the device, steal application credentials, or invoke exposed native functionality to escalate their privileges within the app.

How to fix it

Code examples

Noncompliant code example

import android.webkit.WebView;

WebView webView = (WebView) findViewById(R.id.webview);
webView.getSettings().setJavaScriptEnabled(true); // Noncompliant

Compliant solution

import android.webkit.WebView;

WebView webView = (WebView) findViewById(R.id.webview);
webView.getSettings().setJavaScriptEnabled(false);

Resources

Standards

Related rules