DOMPurify Open Redirect vulnerability

Description

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a ‘rel=”noopener noreferrer”’ attribute.

Recommendation

Update the dompurify package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.0.11
• Patched version(s): 1.0.11

References

• GHSA-8hgg-xxm5-3873
• CVE-2019-25155
• CWE-601
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• DOMpurify has a nesting-based mXSS - CVE-2024-47875
• Potential XSS vulnerability in jQuery - CVE-2020-11023
• Prototype Pollution in jquery-deparam - CVE-2021-20087
• webfinger.js Blind SSRF Vulnerability - CVE-2025-54590

Tags:

npm

dompurify