Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name.
Advisories for Gem/Mapbox-Rails package
2018
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control
2016
Content Injection via TileJSON Name
If you use L.mapbox.map and L.mapbox.shareControl, it is possible for a malicious user with control over the TileJSON content to inject script content into the name value of the TileJSON. After clicking on the share control, the malicious code will execute in the context of the page using Mapbox.js.
2015
Content Injection via TileJSON attribute
If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON content from a non-Mapbox URL, it is possible for a malicious user with control over the TileJSON content to inject script content into the attribution value of the TileJSON which will be executed in the context of the page using Mapbox.js.