Smartbanner.js Window Opener Exposure Vulnerability

A vulnerability in smartbanner.js versions prior to 1.14.1 allows the 'View' link to expose 'window.opener' when navigating to a third-party page. This exposure could be exploited by malicious third parties to manipulate the original page, such as by redirecting or injecting content. The issue arises because the 'View' link can lead to untrusted sites, leaving an opening for potential abuse.

Impact

The vulnerability could be exploited to misuse 'window.opener', potentially leading to unauthorized redirections or content injections on the original page where smartbanner is used.

Remediation

Users are advised to upgrade to smartbanner.js version 1.14.1 or later, which automatically adds 'rel="noopener"' to links, mitigating the vulnerability. For those unable to upgrade, it is recommended to ensure that 'View' links only direct users to the App Store or Google Play Store. If linking to a third-party page, limit the use of smartbanner.js on iOS devices, as Safari 12.1 and later automatically applies 'rel="noopener"' to all 'target="_blank"' links.