fix(android): Add mitigation strategy for CVE-2020-6506

[carlpoole]

Platforms affected

Android

Motivation and Context

These changes mitigate the security vulnerability (CVE-2020-6506) recently found in Chromium that affects the Android WebView prior to version 83.0.4103.106.

See: https://cordova.apache.org/news/2020/09/29/cve-2020-6506.html
See: https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/
See: https://bugs.chromium.org/p/chromium/issues/detail?id=1083819

Description

This mitigation strategy works by enabling the flag to handle multiple windows in the InAppBrowser plugin. When a new window event occurs, the plugin attempts to load the target in a temporary WebView. If the URL is clean it will be passed back to the original InAppBrowser WebView to mimic the original single-window behavior. This filters out Javascript (and thus any malicious code).

Testing

This mitigation was tested using proof-of-concept pages provided by the security researcher who discovered the vulnerability (Alesandro Ortiz) linked here: https://alesandroortiz.com/security/chromiumwebview/cve-2020-6506.html

Checklist

• I've run the tests to see all new and existing tests pass
• I added automated test coverage as appropriate for this change
• Commit is prefixed with (platform) if this change only applies to one platform (e.g. (android))
• If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct keyword to close issues using keywords)
• I've updated the documentation if necessary

[NiklasMerz]

Strangely my very old webview in the emulator throws an error without this mitigation and does not seem vulnerable. I'm not sure if I understand this correctly though.