Hello,
We have had a report of a Security issue within our product and after investigation the issue is due to internal SmartGWT javascript frameworks code.
In file ISC_Databinding.js there is code
getPriorityQueue:function(){
var pqText=this.get(this.priorityQueueKey);
if(pqText){
eval("var pq = "+pqText)}
else {
var pq=[]
}
The pqText string is retrieved from Offline Storage.
The complaint is that if the offline storage is modified to be “alert(1)” the alert will be displayed in the browser.
To reproduce this issue the security testing company did a manual change of the offline storage.
I tried their procedure on the SmartClient showcase (https://www.smartclient.com/smartcli...offlineSupport)
- go into developer tools
- Find isc-pq array. Edit it to be “alert(1)”
- click on the “Offline support” node in the left tree-grid
- the code is executed
I understand that there doesn’t seem to be a way to have the offline storage modified programmatically in the framework but this is one of those cases where we get reports of issues that “might” occur. They are saying that all strings should be validated.
Is this something that you would consider fixing? We have to respond to Security report we were given.
We have had a report of a Security issue within our product and after investigation the issue is due to internal SmartGWT javascript frameworks code.
In file ISC_Databinding.js there is code
getPriorityQueue:function(){
var pqText=this.get(this.priorityQueueKey);
if(pqText){
eval("var pq = "+pqText)}
else {
var pq=[]
}
The pqText string is retrieved from Offline Storage.
The complaint is that if the offline storage is modified to be “alert(1)” the alert will be displayed in the browser.
To reproduce this issue the security testing company did a manual change of the offline storage.
I tried their procedure on the SmartClient showcase (https://www.smartclient.com/smartcli...offlineSupport)
- go into developer tools
- Find isc-pq array. Edit it to be “alert(1)”
- click on the “Offline support” node in the left tree-grid
- the code is executed
I understand that there doesn’t seem to be a way to have the offline storage modified programmatically in the framework but this is one of those cases where we get reports of issues that “might” occur. They are saying that all strings should be validated.
Is this something that you would consider fixing? We have to respond to Security report we were given.
Comment