Three functions exposed by the Gmail.js API (not the Google Gmail API) are vulnerable to DOM-based cross site scripting. The three functions are tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post. Each one of these functions calls new Function() with user data passed as the argument.
Three functions exposed by the Gmail.js API (not the Google Gmail API) are vulnerable to DOM-based cross site scripting (DOMXSS). The three functions are tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post. Each one of these functions calls new Function() with user data passed as the argument./n/nThis vulnerability is being disclosed before a public patched version is available because the issue was reported in a public Github issue.