Vulnerabilities

 1 via 1 paths

Dependencies

 108

Source

 GitHub

Commit

 adf939a7

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

low severity

Undesired Behavior

  • Vulnerable module: sweetalert2
  • Introduced through: sweetalert2@11.10.8

Detailed paths

  • Introduced through: casa@rubyforgood/casa#adf939a72e57cf3b3e6c48dba9eb0537d50d415d sweetalert2@11.10.8

Overview

sweetalert2 is an accessible (WAI-ARIA) replacement for JavaScript's popup boxes, supported fork of sweetalert

Affected versions of this package are vulnerable to Undesired Behavior as it displays pop-up messages that affect Russian users when visiting Russian sites.

PoC:

 if (navigator.language === 'ru' && location.host.match(/\.(ru|su|xn--p1ai)$/)) {
    const noWar = document.createElement('div')
    noWar.className = swalClasses['no-war']
    setInnerHtml(
      noWar,
      `<a href="https://www.youtube.com/watch?v=${message.youtubeId}" target="_blank">${message.text}</a>`
    )
    container.appendChild(noWar)
    container.style.paddingTop = '4em'

Remediation

There is no fixed version for sweetalert2.

References

Undesired Behavior vulnerability report