Notesnook Stored Cross-Site Scripting Vulnerability in Mobile Share Web Clip Flow

A stored cross-site scripting (XSS) vulnerability has been identified in Notesnook, a privacy-focused note-taking app, prior to version 3.3.17. The issue arises in the mobile share and web clip functionality, where attacker-controlled metadata is injected into the HTML without proper escaping. This unescaped data is then rendered using innerHTML in the mobile share editor's WebView. An attacker can exploit this by manipulating the shared title metadata, such as through Android or iOS share options or link previews, to include harmful HTML, which is executed when the recipient opens the share flow and selects the web clip option.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected HTML is executed in the context of the user.

Reproduction

To reproduce this vulnerability, an attacker can host a web page that uses the Web Share API to send a share request to Notesnook, including unescaped HTML in the title. When the share is received in Notesnook, the app processes the unescaped HTML and injects it into the share editor, where it is executed as JavaScript.

Remediation

Users can update to Notesnook version 3.3.17 or later, where this vulnerability has been patched.