pym-iframe-resizer@2.0.0

Vulnerabilities

1 via 1 paths

Dependencies

2

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Cross-site Request Forgery (CSRF)

  • Vulnerable module: pym.js
  • Introduced through: pym.js@0.4.5

Detailed paths

  • Introduced through: pym-iframe-resizer@2.0.0 pym.js@0.4.5
    Remediation: Upgrade to pym.js@1.3.2.

Overview

pym.js embeds and resizes an iframe responsively (width and height) within its parent container.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the _onNavigateToMessage function. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.

Remediation

Upgrade pym.js to version 1.3.2 or higher.

References