spin.js Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the spin.js package, affecting versions prior to 3.0.0. The issue arises in the spin() function, which can create multiple alert dialogs for each targeted element. This vulnerability requires an attacker to first exploit a prototype pollution flaw, such as CVE-2021-20089, to inject a malicious key-value pair into Object.prototype via a crafted URL. Once the prototype pollution is achieved, the attacker can execute arbitrary JavaScript in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the user's browser, potentially leading to session hijacking, cookie theft, or other malicious actions.

Reproduction

To reproduce this vulnerability, use a version of spin.js prior to 3.0.0. Inject a prototype pollution payload into Object.prototype via a crafted URL, exploiting a vulnerability that allows such an injection. Once the prototype pollution is in place, load the vulnerable spin.js version and use the spin() function on a target element. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Upgrade spin.js to version 3.0.0 or higher.