WebViews can be used to display web content as part of a mobile application. When JavaScript support is enabled, the WebView acts like a browser and may expose the application to web-based attacks.
Enabling JavaScript in a WebView allows arbitrary JavaScript to run inside the mobile application’s context. JavaScript running inside a WebView can access local files, device APIs, and any native functions exposed to the web layer, amplifying the impact of a Cross-Site Scripting (XSS) attack well beyond what is possible in a regular browser. This rule flags WebView configurations that enable JavaScript support.
In Android, JavaScript support in WebView is controlled by calling setJavaScriptEnabled(true) on its
WebSettings.
If an attacker can inject or control the web content displayed in the WebView, they can execute arbitrary JavaScript in the context of the mobile application. This may allow them to exfiltrate sensitive files stored on the device, steal application credentials, or invoke exposed native functionality to escalate their privileges within the app.
import android.webkit.WebView; WebView webView = (WebView) findViewById(R.id.webview); webView.getSettings().setJavaScriptEnabled(true); // Noncompliant
import android.webkit.WebView; WebView webView = (WebView) findViewById(R.id.webview); webView.getSettings().setJavaScriptEnabled(false);