CVE-2021-43849: 
JavaScript vulnerability analysis and mitigation

The cordova-plugin-fingerprint-aio, a plugin that provides a unified interface for accessing fingerprint APIs on Android 6+ and iOS, contained a vulnerability (CVE-2021-43849) discovered in versions prior to 5.0.1. The vulnerability was related to an exported activity de.niklasmerz.cordova.biometric.BiometricActivity that could cause applications to crash when receiving invalid or empty data. The issue was disclosed and patched in December 2021 (GitHub Advisory).

The vulnerability stemmed from the exported Android activity de.niklasmerz.cordova.biometric.BiometricActivity which failed to properly handle cases where it received invalid or empty data through intents. Any third-party application could call this activity without requiring permissions, leading to potential crashes. The vulnerability received a CVSS v3.1 base score of 7.2 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L (GitHub Advisory).

The vulnerability could be exploited by a third-party application or remote attacker to cause denial of service (DoS) conditions. By continuously calling the vulnerable activity with invalid data, an attacker could prevent the victim's application from functioning properly, effectively making it unusable (GitHub Advisory).

The vulnerability was fixed in version 5.0.1 of cordova-plugin-fingerprint-aio by no longer exporting the problematic activity. For users unable to upgrade immediately, a workaround was provided to change the attribute android:exported to false in the plugin.xml file. Users were strongly advised to upgrade to version 5.0.1 as soon as possible (GitHub Release).