The Google API key (apiKey) is publicly accessible (i.e. in config.js)!

According to the Firebase documentation, this is not a problem and not a security issue. To implement some extra precautions and not to see the warning you can limit the auto-created keys by Firebase.

1. You can view and manage all your project's API keys in the APIs & Services -> Credentials panel in the Google Cloud Console.
2. Select "Browser key (auto created by Firebase)".
3. Restrict key usage to specified websites. Add your Firebase website and all other websites.

You can also implement other restrictions, like reducing the identitytoolkit.googleapis.com API quota of the project.