Android native bridge security concerns

Quoting the Iframes and the Callback Id Mechanism section of the Security Guide

If content is served in an iframe from a whitelisted domain, that domain will have access to the native Cordova bridge. This means that if you whitelist a third-party advertising network and serve those ads through an iframe, it is possible that a malicious ad will be able to break out of the iframe and perform malicious actions. Because of this, you should generally not use iframes unless you control the server that hosts the iframe content. Also note that there are third party plugins available to support advertising networks. Note that this statement is not true for iOS, which intercepts everything including iframe connections.

We are in a situation where we have iframes that can serve content from a third party source not controlled by us (integrations/plugins in our app). Our own app data is secured, the only way to communicate with our app is via window.postMessage. We even have 2 levels of iframe — it’s an iframe inside an iframe — where the first level is controlled by us (for CSP reasons).

When inspecting from the uncontrolled iframe, you can indeed have access to the _cordovaNative object which has the exec method. As you can see from the method signature, it expects a bridgeSecret as the first parameter. Said secret seems to be generated from the native side and any attempt at using the method with the wrong secret will completely disable the bridge.

My question is: Since the secret isn’t exposed to JavaScript and it’s a different one for everyone and change every time you reload the app, how can this bridge exposure be exploited? I’d be also curious to know how plugins can still use cordova.exec without the bridge secret.