The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.
Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.
event.preventDefault()
new-window
url
options
9.0.0-beta.21
8.2.4
7.2.4
If you have any questions or comments about this advisory:
Impact
The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.
Workarounds
Ensure you are calling
event.preventDefault()on allnew-windowevents where theurloroptionsis not something you expect.Fixed Versions
9.0.0-beta.218.2.47.2.4For more information
If you have any questions or comments about this advisory: