Reverse Tabnabbing in Quill

Published: 2019-07-11 18:54:50 | Updated: 2019-07-11
Severity Low
Patch available NO
Number of vulnerabilities 1
CVE ID N/A
CVSSv3 2.9 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]
CWE ID CWE-1022
Exploitation vector Network
Public exploit N/A
Vulnerable software Quill
Vulnerable software versions Quill 2.0.0
Quill 1.3.6
Quill 1.3.5

Show more

Vendor URL Quilljs

Security Advisory

1) Reverse Tabnabbing

Description

The vulnerability allows a remote attacker to modify certain properties on the affected system.

The vulnerability exist due to Reverse Tabnabbing via the snow theme. The link has the target attribute set to "_blank" but has no "rel" property. A remote attacker can modify the location property to automatically redirect the user to a malicious site.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://github.com/quilljs/quill/issues/2438
https://github.com/quilljs/quill/pull/2674
https://github.com/quilljs/quill/pull/2439