Twitter-Post-Fetcher vulnerable to Use of Web Link to Untrusted Target with window.opener Access
- Severity:
- Medium
Description
A vulnerability classified as problematic has been found in Twitter-Post-Fetcher up to 17.x. This affects an unknown part of the file js/twitterFetcher.js of the component Link Target Handler. The manipulation leads to use of web link to untrusted target with window.opener access. It is possible to initiate the attack remotely.
Recommendation
Update the twitter-fetcher-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 18.0.0
- Patched version(s): 18.0.0
References
Related Issues
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit - Vulnerability
- Macro in MathJax running untrusted Javascript within a web browser - CVE-2018-1999024
- Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation - CVE-2019-11004
- Tags:
- npm
- twitter-fetcher-js
Anything's wrong? Let us know Last updated on February 02, 2023