CleverTap Web SDK DOM-Based Cross-Site Scripting Vulnerability

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in CleverTap Web SDK versions through 1.15.2. The issue arises in the Visual Builder module, where the origin validation for window.postMessage events is inadequate. The validation process can be bypassed by crafting a subdomain that includes 'dashboard.clevertap.com', allowing an attacker to inject arbitrary HTML or JavaScript into a website using the vulnerable SDK.

Impact

Exploitation of this vulnerability allows for DOM-based Cross-Site Scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a postMessage event from an attacker's domain that includes a crafted originUrl with 'dashboard.clevertap.com' in the subdomain. The payload must also include details that will be processed by the SDK, such as HTML content with embedded JavaScript.

Remediation

Users can upgrade to CleverTap Web SDK version 1.15.3 or later, where this vulnerability has been patched.