Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.