Google Play Console now has a list of potentially vulnerable javascript libraries for each app.
https://support.google.com/faqs/answer/9464300
However, I am not able to find the related CVE for a couple of the libraries that it has flagged. Notably:
angular-cookies, which is a dependency ofangularLocalStorageangular-sanitizewhich is a dependency ofangular-translate
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=angular
There is a CVE for textAngular-sanitize.js. Is that the reason there is a false positive for angular-sanitize?
There are also no vulnerabilities listed in the page for ngSanitize, which is part of the AngularJS core libraries.
https://code.angularjs.org/1.5.11/docs/api/ngSanitize
I am filing this question because the support page says
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”
