The researcher specifically says the JavaScript code does not mean our app is doing anything malicious, and admits they have no way to know what kind of data our in-app browser collects.

A new online tool named 'InAppBrowser' lets you analyze the behavior of in-app browsers embedded within mobile apps and determine if they inject privacy-threatening JavaScript into websites you visit.

How easy is for a user to modify that variable and get access? My security (and JavaScript) knowledge isn't great.

‘Shitcoin Wallet,’ an Ethereum wallet available as a Chrome Browser extension, is injecting malicious javascript to steal user’s data.