tarteaucitron.js Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in tarteaucitron.js versions prior to 1.20.1. The issue arises in the addOrUpdate function, which is responsible for applying custom texts. This function fails to properly validate input, allowing an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes. Such manipulation could lead to security risks including data corruption or unintended code execution. An attacker with high privileges could exploit this vulnerability to modify object prototypes, disrupt core JavaScript functionality, cause application crashes or unexpected behavior, and potentially introduce additional security vulnerabilities depending on the application's architecture.

Impact

Exploitation of this vulnerability could allow for prototype pollution, enabling an attacker to modify object prototypes in a way that disrupts normal JavaScript behavior. This could lead to application crashes, unexpected behavior, or the introduction of further security vulnerabilities, particularly if the application architecture allows such changes to be exploited.

Remediation

Users can upgrade to tarteaucitron.js version 1.20.1 or later to address this vulnerability.