Reolink javascript injection (qr code)

1. Reporting information

Team name : Team Brrester

2. Overview of Vulnerabilities

Vulnerability title: javascript injection
Date of discovery: 2025.05.25
Discovery Location (URL or System Path) : com.mcu.reolink/com.android.bc.GeneralWebViewActivity
Vulnerability Type (CWE ID): CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-94: Improper Control of Generation of Code ('Code Injection')
Vulnerability Description: An XSS vulnerability that can allow malicious JavaScript to be inserted by executing the external input qr code value in the 'valuateJavascript()' function in GeneralWebView Activity without proper verification.

3. Details

Impacted Products/Services: Reolink App
Product version: Reolink 4.54.0.4.20250526
Vulnerable Components: com.mcu.reolink/com.android.bc.GeneralWebViewActivity
Attack Vector :

When 'ScanQrcode' in JS bridge runs in Generalwebview Activity

((ActivityGeneralWebviewBinding) getMViewBind()).webView.registerHandler("scanQRCode", new BridgeHandler() { 
            @Override // com.github.lzyzsd.jsbridge.BridgeHandler
            public final void handler(String str, CallBackFunction callBackFunction) {
                GeneralWebViewActivity.registerHandler$lambda$12(this.f$0, str, callBackFunction);
            }
        });

registerHandler$lambda$12 runs internally

public static final void registerHandler$lambda$12(GeneralWebViewActivity this$0, String str, CallBackFunction callBackFunction) {
        Intrinsics.checkNotNullParameter(this$0, "this$0");
        BCLog.d(TAG, "scanQRCode !");
        this$0.capTureFunction = callBackFunction;
        CaptureActivity.INSTANCE.open(this$0, CaptureTpe.SIMCARD, null, Integer.valueOf(RouterLaunch.INSTANCE.getWEB_REQUEST_CODE()));
    }

Run Capture Activity with the SIMCARD factor.

public final void open(Activity context, CaptureTpe type, String homeBaseUUID, Integer result) {
            Intrinsics.checkNotNullParameter(type, "type");
            BCLog.d("CaptureActivity", "type :" + type.name());
            if (result == null) {
                if (context != null) {
                    Intent intent = new Intent(context, (Class<?>) CaptureActivity.class);
                    intent.putExtra(CaptureActivity.KEY_CAPTURE_TYPE, type.name());
                    if (type == CaptureTpe.HOMEBASE) {
                        intent.putExtra(KeyConstantsKt.KEY_DEVICE_UUID, homeBaseUUID);
                    }
                    context.startActivity(intent);
                    return;
                }
                return;
            }
            if (context != null) {
                Intent intent2 = new Intent(context, (Class<?>) CaptureActivity.class);
                intent2.putExtra(CaptureActivity.KEY_CAPTURE_TYPE, type.name());
                if (type == CaptureTpe.HOMEBASE) {
                    intent2.putExtra(KeyConstantsKt.KEY_DEVICE_UUID, homeBaseUUID);
                }
                context.startActivityForResult(intent2, result.intValue());
            }
        }

CaptureTpe contains SIMCARD values, so SimCard Capture Fragment

public void onScanResult(final String str) {
        this.mUIHandler.post(new Runnable() { // from class: com.android.bc.Zxing.SimCardCaptureFragment$$ExternalSyntheticLambda9
            @Override // java.lang.Runnable
            public final void run() throws IllegalStateException {
                this.f$0.lambda$onScanResult$4(str);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ void lambda$onScanResult$4(String str) throws IllegalStateException {
        this.inactivityTimer.onActivity();
        playBeepSoundAndVibrate();
        BCLog.d(TAG, "resultString:" + str);
        Intent intent = new Intent();
        intent.putExtra("resultString", str);
        if (getActivity() != null) {
            ActivityExtKt.finishWithResult(getActivity(), intent);
        }
    }