Notesnook Stored Cross-Site Scripting Vulnerability in Twitter Embed Component

A stored cross-site scripting vulnerability has been identified in Notesnook's editor embed component, affecting versions prior to 3.3.9 for web and desktop, and versions prior to 3.3.15 for Android and iOS. The issue arises when rendering Twitter/X embed URLs, as the 'tweetToEmbed()' function in 'component.tsx' directly interpolates user-supplied URLs into an HTML string without proper escaping. This unescaped HTML is then assigned to the 'srcdoc' attribute of an <iframe>, allowing for the execution of injected scripts in the victim's browser, particularly in environments in which Content Security Policy (CSP) is absent or misconfigured.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the note.

Reproduction

To reproduce this vulnerability, create a note containing a Twitter/X embed URL that includes unescaped HTML, such as an image tag with an 'onerror' event. Once the note is saved and opened, the injected script will execute in the browser.

Remediation

Users can update to Notesnook version 3.3.9 or later for web and desktop, or version 3.3.15 or later for Android and iOS.