I wish I had tested this sooner, but yes, Webview is vulnerable (use document.write(document.domain) instead of alert() to test). So afaict apps that embed webview/ads on < 4.4 are at risk.
How would this be exploited? Can you read the contents of a webview in another process? Your users would have to navigate somehow to an exploited page (via an ad)?
ClashTheBunny|11 years ago