Clickjacking Affecting org.webjars.bower:angular package, versions [1.3.1,1.5.0-beta.0)
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSBOWER-479414
- published 23 Jan 2017
- disclosed 6 Aug 2015
- credit Igor Minar
How to fix?
Upgrade org.webjars.bower:angular to version 1.5.0-beta.0 or higher.
Overview
org.webjars.bower:angular is a bower WebJar for angular.
Affected versions of this package are vulnerable to Clickjacking. By enabling the SVG setting without taking other precautions, you might expose your application to click-hijacking attacks. In these attacks, sanitized SVG elements could be positioned outside of the containing element and be rendered over other elements on the page (e.g. a login link). Such behavior can then result in phishing incidents.
To protect against these, explicitly setup overflow: hidden css rule for all potential SVG tags within the sanitized content:
.rootOfTheIncludedContent svg {
overflow: hidden !important;
}