stream-js icon indicating copy to clipboard operation
stream-js copied to clipboard
verified publisher icon ProjectOpenSea

fix(deps): update rollup bundled DOM Clobbering Gadget found scripts that leads to XSS

Open streetfact opened this issue 1 year ago • 0 comments

Change Overview

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (an img tag with an unsanitized name attribute) are present.

  • [x] Bug fix
    • [ ] External Facing (resolves an issue customers are currently experiencing)
    • [x] Security Impact (fixes a potential vulnerability)
  • [ ] Feature
    • [ ] Visible Change (changes semver of API surface or other change that would impact user/dev experience)
    • [ ] High Usage (impacts a major part of the core workflow for users)
  • [x] Performance Improvement
  • [ ] Refactoring
  • [ ] Other: Describe here

Weakness CWE-79

streetfact avatar Jan 23 '25 16:01 streetfact