GHSA-h6mq-3cj6-h738

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

CVSS3: 3.1

Описание

Reverse Tabnabbing in showdown

Versions of showdown prior to 1.9.1 are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.

Recommendation

Upgrade to version 1.9.1 or later.

Ссылки

https://github.com/showdownjs/showdown/pull/670
https://github.com/showdownjs/showdown/commit/1cd281f0643ef613dc1d36847d4c6cbb22501d91
https://snyk.io/vuln/SNYK-JS-SHOWDOWN-469487
https://www.npmjs.com/advisories/1302

Пакеты

Наименование

showdown

npm

Затронутые версииВерсия исправления

< 1.9.1

1.9.1

3.1 Low

CVSS3

Дефекты

CWE-1022

3.1 Low

CVSS3

Дефекты

CWE-1022