Impact
Any user who accesses a bot page with this vulnerability being exploited is at risk.
Patches
n/a
Workarounds
n/a
Issue Report
Describe the Bug
If you use an iFrame and link it to a document that has a script such as the below, it will allow force redirecting users to another site when trying to view the bot page.
<script language="javascript">
window.top.location = 'https://example.com';
</script>or
<script language="javascript">
window.parent.location = 'https://example.com';
</script>Steps to Reproduce
- Add an iframe to the bot page and link it to a document with the contents of something like
<script language="javascript">
window.top.location = 'https://example.com';
</script>or
<script language="javascript">
window.parent.location = 'https://example.com';
</script>
- Save
- Attempt to view the bot page.
Expected Behavior
You shouldn't be able to modify the parent or top properties.
Screenshots
Environment
- OS: Windows 10
- Browser: Firefox
- Version: 82.0b2 (64-bit)
— @BannerBomb
For more information
If you have any questions or comments about this advisory:
BannerBomb Analyst
carolinaisslaying Coordinator
Impact
Any user who accesses a bot page with this vulnerability being exploited is at risk.
Patches
n/a
Workarounds
n/a
Issue Report
Describe the Bug
If you use an iFrame and link it to a document that has a script such as the below, it will allow force redirecting users to another site when trying to view the bot page.
or
Steps to Reproduce
or
Expected Behavior
You shouldn't be able to modify the parent or top properties.
Screenshots
Environment
— @BannerBomb
For more information
If you have any questions or comments about this advisory: