Mobilefirst Vulnerable version of Apache Cordova

Question

I just recieved a mail from Google play about my MobileFirst 6.3 app: Please migrate your app(s) to Apache Cordova v.4.1.1 or higher as soon as possible.

I have a new version of my app on MobileFirst 7.1, but this new version is only running on Cordova v 3.7.0.

Which version of MobileFirst will be based on v4.1.1 and when can we expect it, if it is not out already? What would be your advised approach, release the app based on cordova 3.7.0 quickly while we still can or wait for cordova 4.1.1 to be included in MobileFirst?

As requested: The following page contains more details about the vulnerabilities: https://support.google.com/faqs/answer/6325474

Answer 1

No version of Worklight/MobileFirst is supplied with Cordova 4.1.1.

However,
IBM patches the Cordova version shipped in Worklight/MobileFirst with fixes to found vulnerabilities.

For this particular announcement by Google, see here: https://mobilefirstplatform.ibmcloud.com/blog/2016/02/16/ibm-mobilefirst-platform-foundation-responds-to-google-play-store-announcement-of-blocking-apps-using-vulnerable-cordova-versions/

In general:

Ensure that you are using the latest available Worklight/MobileFirst iFix and have the application re-built in order to use the patched Cordova.

See below for more information:

• https://mobilefirstplatform.ibmcloud.com/blog/2016/02/24/cve-2015-5256-apache-cordova-vulnerable-to-improper-application-of-whitelist-restrictions-on-android/
• https://developer.ibm.com/mobilefirstplatform/2015/12/11/cve-2015-5257cve-2015-8320-weak-randomization-of-bridgesecret-for-apache-cordova-android/
• https://developer.ibm.com/mobilefirstplatform/2015/07/30/cve-2015-1835-remote-exploit-in-apache-cordova/
• https://developer.ibm.com/mobilefirstplatform/2015/10/08/cve-2015-5204-http-header-injection-vulnerability-in-apache-cordova-android-file-transfer-plugin/