Vega Arbitrary JavaScript Execution Vulnerability Allowing DOM-Based Cross-Site Scripting

A vulnerability in Vega prior to versions 6.1.2 and 5.6.3 allows arbitrary JavaScript code execution, leading to DOM-based cross-site scripting (XSS). This issue arises when applications use the Vega library in a way that exposes function gadgets to the global scope and permit user-defined Vega JSON definitions. The vulnerability can be exploited even with the 'safe mode' expression interpreter active, by tricking users into opening malicious Vega specifications. Successful exploitation enables attackers to execute arbitrary JavaScript in the context of the application's domain, potentially leading to the theft of sensitive information, manipulation of displayed data, or execution of unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for DOM-based cross-site scripting, where arbitrary JavaScript can be executed in the context of the application's domain. This could result in the theft of sensitive information, such as authentication tokens, manipulation of data presented to the user, or execution of unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, create a Vega specification that includes a payload designed to exploit the issue, such as one that uses the 'vlSelectionTuples' function to map a global function gadget onto an event handler. Open this specification in an application that uses Vega and has the necessary function gadgets exposed to the global scope.

Remediation

Users can update to 'vega-selections@6.1.2' for Vega v6 or 'vega-selections@5.6.3' for Vega v5. As a workaround, avoid attaching Vega or 'vega.View' instances to global variables or the window.