GMS-2020-507: Reverse Tabnabbing in showdown

September 3, 2020 (updated October 1, 2021)

Versions of showdown are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.

References

github.com/advisories/GHSA-h6mq-3cj6-h738
github.com/showdownjs/showdown/pull/670/files
snyk.io/vuln/SNYK-JS-SHOWDOWN-469487
www.npmjs.com/advisories/1302

Detect and mitigate GMS-2020-507 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →