Security alert on Cross App Scripting Vulnerability

[mosess]

We're using the Data Theorem mobile security too and getting the following high priority alert:

Google Play Blocker: Cross App Scripting Vulnerability
The following Java or Kotlin Activities contain WebViews that are vulnerable to Cross App Scripting: com.box.androidsdk.content.auth.OAuthActivity

WebViews that enable JavaScript and load data read from untrusted Intents can be tricked by malicious Apps into executing JavaScript code in an unsafe context.

Is this a known issue? is there a plan for getting it fixed?
I can post their recommended solutions if needed.

*. we're currently using version 5.0.0 which is available on Maven but I can't find any reference for it in the repository releases, should we change it to the latest one shown here? (4.2.3)

[swfree]

Hi @mosess, thanks for reporting this issue. We'll take a look into the security vulnerability and get back to you soon with an update on when we can get this fixed.

Regarding the version, you'll want to use 4.2.3. The 5.0.0 version on Maven looks like it may have been a mistake that we'll look into removing.

[mosess]

Hey
Any news about this one?
I saw there's a merged fix, is there a plan to release an updated SDK version with it?

[arash-autodesk]

Hey Gang (@swfree )
Any update on this. was this fixed release?

I don't see any more releases after Mar 18 2019 https://github.com/box/box-android-sdk/releases