CVE-2025-25300: smartbanner.js rel noopener vulnerability

September 13, 2019 (updated October 31, 2025)

Clicking on smartbanner View link and navigating to 3rd party page leaves window.opener exposed. It may allow hostile 3rd parties to abuse window.opener, e.g. by redirection or injection on the original page with smartbanner.

References

github.com/advisories/GHSA-9mrq-cjgh-32g2
github.com/ain/smartbanner.js
github.com/ain/smartbanner.js/commit/fce8c31dfe04033d9d005a89694d3e7a60784f89
github.com/ain/smartbanner.js/security/advisories/GHSA-9mrq-cjgh-32g2
nvd.nist.gov/vuln/detail/CVE-2025-25300

Code Behaviors & Features

Detect and mitigate CVE-2025-25300 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →