AIKIDO-2024-10030
quill is vulnerable to Tabnabbing Vulnerability
10
Low Risk
This Affects:
quillTL;DR
When a user clicks a link with the target="_blank" attribute, the linked page (target) opens in a new window or tab, which shares the same process as the original page. The window.opener object holds information about the original page that provided the link. If an attacker is able to run a script on the target page, they could potentially read or modify properties of the window.opener object, including the location property. This could allow the attacker to redirect the user to a malicious site, such as for phishing attacks, even if the original and target sites have different origins. Since the redirection occurs in the original window/tab, which may not be visible to the user, the user might not notice the suspicious redirection. However, modern browsers now automatically include rel="noopener" for links with target="_blank", mitigating this vulnerability and reducing its severity.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
quill is vulnerable to Tabnabbing Vulnerability in versions 0.0.1 - 1.3.7.
How to fix this
Upgrade the quill library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant