plotly.js is a high-level, declarative charting library.
Affected versions of the package allowed the style attribute to be manipulated in the tag inside the embedded
svg making them vulnerable to a css injection which allowed for tracking images to be embedded and leak information to an external domain.
For more information, see Jared's post explaining the issue very well.
plotly.js version 1.16.0 or newer.
- Jared Folkins
- Snyk ID
- 09 Aug, 2016
- 17 Oct, 2016