Cross site scripting in reveal.js

Description

The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage.

Recommendation

Update the reveal.js package to the latest compatible version. Followings are version details:

• Affected version(s): < 4.3.0
• Patched version(s): 4.3.0

References

• GHSA-hhqj-cfjx-vj25
• huntr.dev
• CVE-2022-0776
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-site Scripting in reveal.js - reveal.js - CVE-2020-8127
• Raneto vulnerable to Cross-site Scripting - CVE-2022-35144
• Angular (deprecated package) Cross-site Scripting - CVE-2022-25869
• Toast UI Grid vulnerable to Cross-site Scripting - CVE-2022-23458

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

reveal.js