CVE-2020-11611: URL Redirection to Untrusted Site ('Open Redirect')

December 9, 2021

An issue was discovered in xdLocalStorage The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends.

References

github.com/advisories/GHSA-c6c4-jmqx-3r33
github.com/ofirdagan/cross-domain-local-storage
grimhacker.com/exploiting-xdlocalstorage-localstorage-and-postmessage/
nvd.nist.gov/vuln/detail/CVE-2020-11611

Detect and mitigate CVE-2020-11611 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →