Impact
Clicking on smartbanner View link and navigating to 3rd party page leaves window.opener
exposed. It may allow hostile 3rd parties to abuse window.opener
, e.g. by redirection or injection on the original page with smartbanner.
Patches
rel="noopener"
is automatically populated to links as of v1.14.1
which is a recommended upgrade to resolve the vulnerability.
Workarounds
If you can not upgrade to v1.14.1
:
-
Ensure View link is only taking users to App Store or Google Play Store where security is guarded by respective app store security teams
-
If View link is going to a 3rd party page, limit smartbanner.js to be used on iOS that decreases the scope of the vulnerability since as of Safari 12.1, rel="noopener"
is imposed on all target="_blank"
links.
Following combination of smartbanner meta tags can be used to achieve the above:
<meta name="smartbanner:enabled-platforms" content="none">
<meta name="smartbanner:include-user-agent-regex" content="Mobile.*Safari">
References
For more information
If you have any questions or comments about this advisory:
Impact
Clicking on smartbanner View link and navigating to 3rd party page leaves
window.opener
exposed. It may allow hostile 3rd parties to abusewindow.opener
, e.g. by redirection or injection on the original page with smartbanner.Patches
rel="noopener"
is automatically populated to links as ofv1.14.1
which is a recommended upgrade to resolve the vulnerability.Workarounds
If you can not upgrade to
v1.14.1
:Ensure View link is only taking users to App Store or Google Play Store where security is guarded by respective app store security teams
If View link is going to a 3rd party page, limit smartbanner.js to be used on iOS that decreases the scope of the vulnerability since as of Safari 12.1,
rel="noopener"
is imposed on alltarget="_blank"
links.Following combination of smartbanner meta tags can be used to achieve the above:
References
For more information
If you have any questions or comments about this advisory: