Mobilefirst vulnerable version of Android Apache Cordova

I just received an email from Google play about my mobilefirst 6.3 application: Please migrate your application to Apache Cordova v.4.1.1 or later as soon as possible

I have a new version of my application on mobilefirst 7.1, but this new version only runs on Cordova V 3.7.0

Which version of mobilefirst will be based on v4.1.1, if not yet released, when can we expect it? Do you have any suggestions to quickly release applications based on Cordova 3.7.0 while we can still or wait to include Cordova 4.1.1 in mobilefirst?

Upon request: the following pages contain more details about the vulnerability: https://support.google.com/faqs/answer/6325474

resolvent:

Cordova 4.1.1 does not provide any version of worklight / mobilefirst

However, IBM patched the Cordova version included in worklight / mobilefirst and fixed the discovered vulnerabilities

For Google's special announcement, see here: https://mobilefirstplatform.ibmcloud.com/blog/2016/02/16/ibm-mobilefirst-platform-foundation-responds-to-google-play-store-announcement-of-blocking-apps-using-vulnerable-cordova-versions/

In general:

Make sure you are using the latest available worklight / mobilefirst iFIX and rebuild the application to use the patched Cordova

See the following details:

> https://mobilefirstplatform.ibmcloud.com/blog/2016/02/24/cve-2015-5256-apache-cordova-vulnerable-to-improper-application-of-whitelist-restrictions-on-android/ > https://developer.ibm.com/mobilefirstplatform/2015/12/11/cve-2015-5257cve-2015-8320-weak-randomization-of-bridgesecret-for-apache-cordova-android/ > https://developer.ibm.com/mobilefirst platform/2015/07/30/cve-2015-1835-remote-exploit-in-apache-cordova/ > https://developer.ibm.com/mobilefirstplatform/2015/10/08/cve-2015-5204-http-header-injection-vulnerability-in-apache-cordova-android-file-transfer-plugin/