Locize Client SDK Cross-Origin DOM-Based XSS Vulnerability via PostMessage Origin Validation Error
Vulnerability
A cross-origin DOM-based cross-site scripting vulnerability has been identified in the Locize client SDK, prior to version 4.0.21. The issue arises because the SDK registers a message event listener that dispatches to internal handlers without validating the origin of the event. This flaw allows any web page that can embed or be embedded by a Locize-enabled host to send crafted messages that trigger these internal handlers, potentially leading to cross-site scripting or hijacking of API origins.
Impact
Exploitation of this vulnerability could lead to cross-origin DOM-based cross-site scripting, allowing attackers to inject malicious scripts that could be executed in the context of the user.
Remediation
Users are advised to upgrade to Locize version 4.0.21 or later, where this vulnerability has been patched. Instructions for upgrading can be found in the Locize GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.