WebViews can be used to display web content as part of a mobile application. A
browser engine is used to render and display the content. Like a web
application, a mobile application that uses WebViews can be vulnerable to
Cross-Site Scripting if untrusted code is rendered. In the context of a WebView,
JavaScript code can exfiltrate local files that might be sensitive or even
worse, access exposed functions of the application that can result in more
severe vulnerabilities such as code injection. Thus JavaScript support should
not be enabled for WebViews unless it is absolutely necessary and the
authenticity of the web resources can be guaranteed.