Security update available for the Adobe PhoneGap Push Plugin | APSB18-15
Bulletin ID Date Published Priority
APSB18-15 April 10, 2018 3

Summary

Adobe has released an update for the Adobe PhoneGap Push plugin. This update resolves a Same-Origin Method Execution (SOME) vulnerability (CVE-2018-4943) that exists in PhoneGap apps built with the affected version of the Push plugin. This vulnerability could be exploited to trick users of PhoneGap apps into executing click events and other unintended user interactions.

Affected Versions

Product Affected Versions Platform
Adobe PhoneGap Push plugin 1.8.0 earlier versions All

Solution

Adobe categorizes this update with the following priority rating and recommends users update their installations to the newest versions:

Product Updated Version Platform Priority rating Availability
Adobe PhoneGap Push plugin 2.1.0 All 3 Github

Märkus.

After updating to the latest version of the plugin, application authors should recompile any apps built with PhoneGap using the new plugin.    

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Same-Origin Method Execution JavaScript code execution in the context of the PhoneGap app Important CVE-2018-4943

Acknowledgements

Adobe would like to thank Juho Nurminen of 2NS - Second Nature Security Oy (CVE-2018-4943) for reporting this issue and for working with Adobe to help protect our customers.