OneTrust SDK Prototype Pollution Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in OneTrust SDK version 6.33.0. This issue arises from prototype pollution, where a local attacker can manipulate the prototype of objects using 'Object.setPrototypeOf' and 'Object.assign'. Such manipulation can disrupt the normal behavior of the application, potentially leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes global object pollution, which can disrupt application logic and lead to a denial-of-service condition. In the context of a browser, this could allow for further exploitation, such as bypassing security controls or manipulating the page's content or behavior.

Reproduction

The vulnerability can be reproduced by using the 'Object.setPrototypeOf' or 'Object.assign' methods to inject a payload that includes a '__proto__' reference. This can be done in a Node.js environment or in the browser's JavaScript console. After the prototype has been polluted, the injected properties can be accessed on objects, demonstrating that the pollution was successful.