You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We use this plugin on multiple shops and in our security scans a vulnerabillity came up.
Within the file src/Resources/app/storefront/src/main.js there are these lines:
const gtmPush = request.getResponseHeader('gtm-push');
if (gtmPush && window.dataLayer) {
window.dataLayer.push(JSON.parse(gtmPush));
if (window.gaRegisterClickTracking) {
window.gaRegisterClickTracking();
}
}
If I manually add a cookie '_gtm_push' in my browser with a random value, and reload the page, this value is reflected within the source code, for instance the result is
So this script is vulnerable for cross-site scripting.
I would like to fix this but I first want to understand why these lines are in the code because I don't know why you should fetch this value.
The text was updated successfully, but these errors were encountered:
The loadened event will be fired when switching between product pages in the listing. When you reload the page, the variable in meta.html.twig will be filled in StorefrontRenderSubscriber.php. That would most likely the place where you can fix this issue.
We use this plugin on multiple shops and in our security scans a vulnerabillity came up.
Within the file src/Resources/app/storefront/src/main.js there are these lines:
If I manually add a cookie '_gtm_push' in my browser with a random value, and reload the page, this value is reflected within the source code, for instance the result is
So this script is vulnerable for cross-site scripting.
I would like to fix this but I first want to understand why these lines are in the code because I don't know why you should fetch this value.
The text was updated successfully, but these errors were encountered: