Zadarma Browser Extension Cross-Site Scripting Vulnerability
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Zadarma browser extension, specifically in versions through 1.0.11. This issue allows remote attackers to execute arbitrary code by injecting scripts into the webchat component. The vulnerability is particularly impactful on web applications with chat or form functionalities that do not implement a strict Content Security Policy (CSP). When a user with the affected extension views the malicious input, the injected script is executed within their browser session.
Impact
Exploitation of this vulnerability could result in unauthorized execution of client-side scripts, manipulation of the Document Object Model (DOM), and potential theft of data.
Reproduction
To reproduce this vulnerability, send a message containing a crafted phone number to a user on WhatsApp Web who has the Zadarma extension installed (version 1.0.11 or earlier). When the recipient opens the chat, the extension will process the message and execute the injected JavaScript payload in their browser.
Remediation
Users can mitigate this vulnerability by sanitizing and validating user input before it is rendered in the DOM.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.