Unhead Document Head and Template Manager Case-Sensitivity Vulnerability in URI Scheme Sanitization

A vulnerability exists in Unhead, a document head and template manager, prior to version 2.1.11. The issue arises in the 'makeTagSafe' function, where the 'link.href' check employs a case-sensitive String.includes() method. This creates a mismatch with how browsers interpret URI schemes, which is case-insensitive. For example, 'DATA:text/css,...' is equivalent to 'data:text/css,...' in the browser, but the case-sensitive check fails to recognize it as valid. This flaw allows attackers to inject arbitrary CSS, which can be exploited for UI redressing or data exfiltration using CSS attribute selectors that leverage background-image callbacks.

Impact

Exploitation of this vulnerability allows for the injection of arbitrary CSS, which can be used for UI redressing or data exfiltration through CSS attribute selectors with background-image callbacks.

Reproduction

To reproduce this vulnerability, use a version of Unhead prior to 2.1.11. Inject a link with a 'DATA:' URI scheme into the document head using the 'useHeadSafe' function. The browser will treat the 'DATA:' URI as valid and load it as a stylesheet, despite the case-sensitive check failing to recognize it.

Remediation

Users can update to Unhead version 2.1.11 or later, where this vulnerability has been fixed.