CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function

Severity:: High

Description

CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain.

Recommendation

Update the clevertap-web-sdk package to the latest compatible version. Followings are version details:

Affected version(s): < 1.15.3
Patched version(s): 1.15.3

References

GHSA-j5mf-6rh3-rhgg
CVE-2026-26861
CWE-346
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6
OWASP 2021-A7

Related Issues

CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` - CVE-2026-47099
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State - CVE-2026-42573
SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; clevertap-web-sdk

Anything's wrong? Let us know Last updated on March 01, 2026