braintree-web-drop-in is vulnerable to Cross-Site Scripting (XSS)
25
Low Risk
Braintree Drop-in renders payment method details, error messages, and payment option labels by assigning strings to innerHTML and relies on a sanitizeHtml helper that only escapes < and >. Untrusted values such as a vaulted PayPal account email or payment source strings are inserted into the DOM without complete escaping, so embedded markup can execute as script in the merchant checkout page. Before the fix this allows cross-site scripting when such values reach the affected rendering paths. The fix replaces the vulnerable innerHTML writes with textContent, tightens sanitizeHtml to also escape &, ", and ', and sanitizes the PayPal email and payment option values before template insertion.
You are affected if you are using a version that falls within the vulnerable range.
braintree-web-drop-in is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 1.46.1.
Upgrade the braintree-web-drop-in library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant