0

I am using various 3rd party libs like cordova.js, jquery, jquery mobile, mobilizer and so on, in a an android mobile app.. These libs are found to have various XSS vectors through insecure use of eval, settimeout, inner/outerhtml and so on. However, the modules which have these issues are not used/called in the application.

Considering the above scenario, Is there any way by which an attacker can exploit my app based on the XSS vectors in the 3rd party libs, even if the vulnerable modules are not used in my app?

This question is with reference to my previous question : 'how to secure app against XSS vectors present in 3rd party js libs?'

Community
  • 1
  • 1
Ocelot
  • 1,733
  • 4
  • 29
  • 53

1 Answers1

0

If the code where the XSS exploit is not in your application then your application is not compromised by those vulnerabilities. However, there can be other vulnerabilities lurking around.

edit: beware of this difference: not used/called != not present. If the code is present, then the attacker could use it. If you don't need the vulnerable code, a desirable move would be to prune these modules off the application.

orique
  • 1,295
  • 1
  • 27
  • 36
  • 1
    I disagree with "if the code is present, the attacker could use it" being a problem. If the attacker can execute JavaScript on the page they can do whatever they want regardless of whether code for it pre-exists or not. – JJJ Mar 12 '13 at 07:26
  • Well, my point is that if you know you have some "dangerous" code in your app and you don't need it at all, there is no (technical) reason to keep it. – orique Mar 12 '13 at 07:29