Linkify Prototype Pollution Vulnerability Leading to Cross-Site Scripting
Vulnerability
A prototype pollution vulnerability has been identified in Linkify.js version 4.3.1, prior to 4.3.2. This vulnerability allows remote attackers to execute arbitrary JavaScript, potentially leading to stored or reflected cross-site scripting (XSS) attacks. The issue arises from the internal 'assign()' helper, which improperly filters the proto property, enabling the injection of event handlers into generated links. As a result, an attacker could manipulate user-controlled variables and HTML attributes, creating a vector for XSS exploitation.
Impact
Exploitation of this vulnerability allows for prototype pollution, which can be leveraged to inject malicious event handlers into HTML elements, causing cross-site scripting (XSS) vulnerabilities.
Reproduction
To reproduce this vulnerability, use Linkify.js version 4.3.1 and pass an object with a proto property into the 'assign()' function. This will inject an event handler, such as 'onclick', into the prototype of the object. When Linkify processes this object, it will add the injected event handler to every generated link, creating a cross-site scripting vulnerability.
Remediation
Users can upgrade to Linkify.js version 4.3.2, which has patched this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.