The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.
Ensure you are calling event.preventDefault()
on all new-window
events where the url
or options
is not something you expect.
9.0.0-beta.21
8.2.4
7.2.4
If you have any questions or comments about this advisory: