Primary

Context

tarteaucitron.js DOM Clobbering Vulnerability via document.currentScript Access

Vulnerability

A vulnerability exists in tarteaucitron.js cookie banner versions prior to 1.22.0, where the library improperly accesses document.currentScript without confirming it points to a valid <script> element. This flaw allows an attacker to inject an HTML element that overwrites the currentScript property, causing the script to misinterpret the source and potentially disrupt functionality. In certain browser environments, named DOM elements can become global document properties, creating an opportunity for exploitation. An attacker could manipulate the CDN domain from which tarteaucitron is loaded.

Impact

Exploitation could lead to unauthorized changes in the CDN source of tarteaucitron.js, potentially allowing for the injection of malicious scripts.

Remediation

Users can upgrade to tarteaucitron.js version 1.22.0 or later to address this vulnerability.

Added: Jul 3, 2025, 5:45 PM

Updated: Jul 3, 2025, 5:45 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

7.7

relevance

0.2

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

tarteaucitron.js DOM Clobbering Vulnerability via document.currentScript Access

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating