smartbanner.js rel noopener XSS vulnerability

smartbanner.js is a customizable smart app banner for iOS and Android. Prior to version 1.14.1, clicking on smartbanner `View` link and navigating to 3rd party page leaves `window.opener` exposed. It may allow hostile third parties to abuse `window.opener`, e.g. by redirection or injection on the original page with smartbanner. `rel="noopener"` is automatically populated to links as of `v1.14.1` which is a recommended upgrade to resolve the vulnerability. Some workarounds are available for those who cannot upgrade. Ensure `View` link is only taking users to App Store or Google Play Store where security is guarded by respective app store security teams. If `View` link is going to a third party page, limit smartbanner.js to be used on iOS that decreases the scope of the vulnerability since as of Safari 12.1, `rel="noopener"` is imposed on all `target="_blank"` links. Version 1.14.1 of smartbanner.js contains a fix for the issue.

N/A

指向未可信站点的URL重定向(开放重定向)

smartbanner.js 输入验证错误漏洞

smartbanner.js是Ain Tohvri个人开发者的一个适用于 iOS 和 Android 的可定制智能应用横幅。 smartbanner.js 1.14.1之前版本存在输入验证错误漏洞，该漏洞源于未正确处理window.opener属性。攻击者利用该漏洞可以执行跨站脚本攻击（XSS）。

N/A

N/A