diff --git a/msal/application.py b/msal/application.py
index 57e40980..b283440c 100644
--- a/msal/application.py
+++ b/msal/application.py
@@ -77,9 +77,9 @@ def _extract_cert_and_thumbprints(cert):
             [1:-1]  # Strip the "--- header ---" and "--- footer ---"
         )
     ]
-    # https://cryptography.io/en/latest/x509/reference/#x-509-certificate-object
-    sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex()  # Requires cryptography 0.7+
-    sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex()  # Requires cryptography 0.7+
+    # https://cryptography.io/en/latest/x509/reference/#x-509-certificate-object - Requires cryptography 0.7+
+    sha256_thumbprint = cert.fingerprint(hashes.SHA256()).hex() 
+    sha1_thumbprint = cert.fingerprint(hashes.SHA1()).hex()  # CodeQL [SM02167] for legacy support such as ADFS
     return sha256_thumbprint, sha1_thumbprint, x5c
 
 def _parse_pfx(pfx_path, passphrase_bytes):
diff --git a/msal/oauth2cli/authcode.py b/msal/oauth2cli/authcode.py
index ba266223..ee06c71a 100644
--- a/msal/oauth2cli/authcode.py
+++ b/msal/oauth2cli/authcode.py
@@ -76,15 +76,26 @@ def _browse(auth_uri, browser_name=None):  # throws ImportError, webbrowser.Erro
 
     # In WSL which doesn't have www-browser, try launching browser with PowerShell
     if not browser_opened and is_wsl():
-        try:
-            import subprocess
-            # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
-            # Ampersand (&) should be quoted
-            exit_code = subprocess.call(
-                ['powershell.exe', '-NoProfile', '-Command', 'Start-Process "{}"'.format(auth_uri)])
+        import subprocess
+        try:  # Try wslview first, which is the recommended way on WSL
+            # https://github.com/wslutilities/wslu
+            exit_code = subprocess.call(['wslview', auth_uri])
             browser_opened = exit_code == 0
-        except FileNotFoundError:  # WSL might be too old
+        except FileNotFoundError:  # wslview might not be installed
             pass
+        if not browser_opened:
+            try:
+                # Fallback to powershell.exe, using -EncodedCommand to prevent injection.
+                # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe
+                import base64
+                # PowerShell expects UTF-16LE for EncodedCommand
+                cmd = u'Start-Process "{}"'.format(auth_uri.replace('"', '`"'))
+                encoded_cmd = base64.b64encode(cmd.encode('utf-16-le')).decode('ascii')
+                exit_code = subprocess.call(
+                    ['powershell.exe', '-NoProfile', '-NonInteractive', '-EncodedCommand', encoded_cmd])
+                browser_opened = exit_code == 0
+            except (FileNotFoundError, ImportError):  # WSL might be too old
+                pass
     return browser_opened