Описание
Cross site scripting in reveal.js
The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can execute arbitrary javascript code on victim's browser window hosting reveal.js
Пакеты
Наименование
reveal.js
npm
Затронутые версииВерсия исправления
< 4.3.0
4.3.0
Связанные уязвимости
CVSS3: 6.1
nvd
почти 4 года назад
Cross-site Scripting (XSS) - DOM in GitHub repository hakimel/reveal.js prior to 4.3.0.