Affected versions of this package are vulnerable to CSS Injection. Chartkick is vulnerable to CSS injection if user input is passed to the width or height option.
<%= line_chart data, width: params[:width], height: params[:height] %>
An attacker can set additional CSS properties, like:
<%= line_chart data, width: "100%; background-image: url('http://example.com/image.png')" %>
chartkick to version 3.4.0 or higher.