Cross-site Scripting in reveal.js (GHSA-6vwx-mwp8-fh44)

Severity:: Medium

Description

Insufficient validation in cross-origin communication (postMessage) in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks.

Recommendation

Update the reveal.js package to the latest compatible version. Followings are version details:

Affected version(s): <= 3.9.1
Patched version(s): 3.9.2

References

GHSA-6vwx-mwp8-fh44
hackerone.com
CVE-2020-8127
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Cross-site scripting in jspdf (GHSA-vh59-v9r5-4mh4) - CVE-2020-7690
Cross-Site Scripting in Prism (GHSA-wvhm-4hhf-97x9) - CVE-2020-15138
Cross site scripting in reveal.js - CVE-2022-0776
Cross-site scripting in Joplin (GHSA-q26w-wjj2-22vv) - CVE-2020-28249

Tags:: npm; reveal.js

Anything's wrong? Let us know Last updated on February 01, 2023