Google Play Store Security Alert Says that your app contains Vulnerable JavaScript libraries how to remove the security warning?

Asked 10/10, 2019 at 5:48 Answered 30/5, 2020 at 3:46

Solved javascript android webview google-play google-play-console

In Google Play Store am getting warning below like this,

Your app contains one or more libraries with known security issues. Please see this Google Help Center article for details.

Vulnerable JavaScript libraries:

Name --> jquery
Version --> 3.3.1
Known issues --> SNYK-JS-JQUERY-174006
Identified files --> res/raw/jquery_min.js

Note: when loading webview in my app i will InterceptRequest in webview url and load the local jquery_min.js file from raw folder resource which helps us to load the webpage faster due this function and i save 5 gb download from server per month.

Sample WebView Program

    LoadLocalScripts localScripts=new LoadLocalScripts(this);
    webView.setWebViewClient(new WebViewClient() {


                public boolean shouldOverrideUrlLoading(WebView view, String url) {

                    return true;
                }

                //Show loader on url load
                public void onLoadResource(WebView view, String url) {

                }

                public void onPageFinished(WebView view, String url) {

                    }
                @Override
                public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) {

                }


                @Override
                public WebResourceResponse shouldInterceptRequest (final WebView view, String url) {

                    WebResourceResponse response= localScripts.getLocalSCripts(url);
                    if(response==null) {
                        return super.shouldInterceptRequest(view, url);
                    }else{
                        return response;
                    }
                }


            });

  webView.loadUrl(url);

Class for Loading local scripts

 public class LoadLocalScripts {
    private Context ctx;

    public LoadLocalScripts(Context context) {
        ctx=context;
    }

    public WebResourceResponse getLocalSCripts(String url)
    {
        //Log.e("url_raw",url);

        if (url.contains(".css")) {
            if(url.contains("bootstrap.min.css")) {
                return getCssWebResourceResponseFromRawResource("bootstrap_min.css");
            }else {
                return null;
            }
        }else  if (url.contains(".js")){
             if(url.contains("bootstrap.min.js")) {
                return getScriptWebResourceResponseFromRawResource("bootstrap_min.js");
            } else if(url.contains("jquery.lazyload.min.js")) {
                 return getScriptWebResourceResponseFromRawResource("lazyload_min.js");
             } else{
                 return null;
             }
        } else {
            return null;
        }
    }


    /**
     * Return WebResourceResponse with CSS markup from a raw resource (e.g. "raw/style.css").
     */
    private WebResourceResponse getCssWebResourceResponseFromRawResource(String url) {

        //Log.e("url_raw",url);
        if(url.equalsIgnoreCase("bootstrap_min.css")) {
            return getUtf8EncodedCssWebResourceResponse(ctx.getResources().openRawResource(R.raw.bootstrap_min));
        }else {
            return null;
        }
    }

    private WebResourceResponse getScriptWebResourceResponseFromRawResource(String url) {

        //Log.e("url_raw",url);
        if(url.equalsIgnoreCase("bootstrap_min.js")) {
            return getUtf8EncodedScriptWebResourceResponse(ctx.getResources().openRawResource(R.raw.bootstrap_min_js));
        }else if(url.equalsIgnoreCase("lazyload_min.js")) {
            return getUtf8EncodedScriptWebResourceResponse(ctx.getResources().openRawResource(R.raw.lazyload_min));
        }else {
            return null;
        }
    }


    private WebResourceResponse getUtf8EncodedCssWebResourceResponse(InputStream data) {
        return new WebResourceResponse("text/css", "UTF-8", data);
    }

    private WebResourceResponse getUtf8EncodedScriptWebResourceResponse(InputStream data) {
        return new WebResourceResponse("text/javascript", "UTF-8", data);
    }
}

If i update new to Jquery script will google play remove Security Alert (Vulnerable JavaScript libraries)?
If i place Jquery script somewhere else in my app will google play remove Security Alert?
Let me know what is the efficient way of loading the script in webview without loading everytime from the server.

Numberless answered 10/10, 2019 at 5:48 Comment(1)

You could probably download the scripts from a cloud bucket ( maybe Firebase ) and then use them. By doing so, the Play Console will not find any vulnerabilities in your app. – Hertzfeld 10/10, 2019 at 6:30

This issue refers to an old vulnerability of jquery from your res/raw/jquery_min.js file.

Just updated the jquery_min.js to v3.4.1 and fix it.

You can fix it manually in your file change in the code:

From:

if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||

To:

if(null!=(e=arguments[s]))for(t in e)r=e[t],"__proto__"!==t&&a!==r&&(l&&r&&(k.isPlainObject(r)||

I found this solution in https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/ and worked for me.

Kannan answered 13/10, 2019 at 15:36 Comment(1)

sir i am only showing a url in webview nothing else no jquery but i have still getting this error in play store why ?? – Mcphail 20/7, 2020 at 5:10

uses the latest jquery v3.4.0+
if the old jquery v1.x/v2.x must be used because your codes or the 3rd party libraries dependence (like jquery mobile etcs), you can take a patch from DanielRuf's snyk-js-jquery-174006 (*)

(*) but I am not sure how Google finds the jquery file in apk has vulnerability and been patched...needs to test(**)

2/1/2020 updated: at this time used above method 2 patched file can't avoid the Google alert checking. But removed the first comment line

/*! jQuery v2.2.4 | (c) jQuery Foundation | jquery.org/license */

inside the jquery-2.2.4.min.js seems worked in my new release. (and this also worked even on the unpatched file in my test, however it should better make a patch)

Purgatorial answered 25/12, 2019 at 8:0 Comment(2)

Thanks, removing the jQuery version comment from the .js file was all it took. – Xochitlxp 12/3, 2020 at 5:21

Can confirm than the "fix" consisting of removing the jQuery version from the header comment in the js file still works in 2023... – Pixilated 8/9, 2023 at 15:22

Security notification

Your application contains one or more libraries that have general security issues. Please see this Google Help Center article for details.

Vulnerable JavaScript library:

Version Name Known issue File identified jquery 2.2.4 SNYK-npm: jquery: 20150627 SNYK-JS-JQUERY-174006 assets / jquery-2.2.4.min.js Affects APK version 9.

Problem: I have used jquery version 3.4.1 and it has an effect on the appearance of my application, for example in the display theme, the application icon is not visible and becomes messy

correct ... I changed version 3.4.1 security warning from Google resolved but,the application icon is not visible and becomes messy

Magnify answered 22/10, 2019 at 12:8 Comment(0)

I have solved this using the jQuery from CDN.

I am using jQueryMobile in my apps which is not supported by jQuery v3+. So, I had no choice but to stick with jQuery v2. So, I have used Google's CDN instead of local .js file and it worked!

Vinasse answered 30/5, 2020 at 3:46 Comment(0)

Recommended topics

Hot tags