Soft Rejected: (XSS) vulnerabilities

I uploaded the Android component to codecanyon. The item is an application for downloading files and has an internal browser.
I received a notification from the site that the application has a vulnerability.

The intents could be coming from an untrusted source. It is later launched by an unprotected component com.testapp.vdp.activity.MainActivity. You could either make the component com.testapp.vdp.activity.MainActivity protected; or sanitize this intent using androidx.core.content.IntentSanitizer

Note that activity
com.testapp.vdp.activity.MainActivity
The home page of the application, not the internal browser
Its function is to control and display downloaded files.

Could the problem be from this?

Utils.This.startService(new Intent(Utils.This, DownloadService.class).putExtra(Utils.POS, Links.getPos(MainActivity.clickDown)));


Does using this method solve the problem?

Intent intent = new Intent(Utils.This, DownloadService.class);
intent.putExtra(Utils.POS, Links.getPos(MainActivity.clickDown));

Intent sanitizedIntent = new IntentSanitizer.Builder()
    .allowComponent(Objects.requireNonNull(ComponentName.unflattenFromString(Utils.This.getPackageName() + ".DownloadService")))
    .build()
    .sanitizeByThrowing(intent);

Utils.This.startService(sanitizedIntent);

Or the problem is different.
I hope to get solution suggestions from you.
Thank you

https://developer.android.com/reference/androidx/core/content/IntentSanitizer

Thank you my friend .
But the location of the error was not specified in the notification I received from the site.
Could you locate the vulnerabilities in MainActivity?
Or would the vulnerabilities be like this
Intent intent = new Intent(Utils.This, DownloadService.class);
intent.putExtra(Utils.POS, Links.getPos(MainActivity.clickDown));

When the problem is solved, it will be
Intent sanitizedIntent = new IntentSanitizer.Builder()
.allowComponent(Objects.requireNonNull(ComponentName.unflattenFromString(Utils.This.getPackageName() + “.DownloadService”)))
.build()
.sanitizeByThrowing(intent);

Utils.This.startService(sanitizedIntent);

Is it considered a sufficient solution?

I want to know that before sending it back to the site.

Check all of the coding. There may be some other issues.

Address the vulnerability by securing MainActivity or implementing IntentSanitizer from androidx.core.content for intent validation. Ensure the issue doesn’t impact the internal browser but is specific to the control and display of downloaded files on the home page. Enhance application security accordingly.
Hope it will help you!

Thanks for your help …

Thanks for the clarification and help

No problem