Affected versions of the package are vulnerable to CSP Bypass.
Extension URIs (
resource://...) bypass Content-Security-Policy in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacker can load Angular from the extension, and Angular's auto-bootstrapping can be used to bypass the victim site's CSP protection.
angular to version 1.5.9 or higher.
- Martin Probst
- Snyk ID
- 31 Oct, 2016
- 23 Jan, 2017