Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsafe Use of Target blank in QUASAR CDN content. #15990 #17829

Open
Sai12-34-1 opened this issue Feb 13, 2025 · 0 comments
Open

Unsafe Use of Target blank in QUASAR CDN content. #15990 #17829

Sai12-34-1 opened this issue Feb 13, 2025 · 0 comments
Labels
bug/1-repro-available A reproduction is available and needs to be confirmed. flavour/umd kind/bug 🐞 mode/spa Qv2 🔝 Quasar v2 issues

Comments

@Sai12-34-1
Copy link

What happened?

Unsafe Use of Target blank , In the application, when opening a new page using an HTML element with the "target"
attribute (with any value), or with window.open() within JavaScript, the new page has some access to the original page through the window.opener object. This may allow redirection to a malicious phishing page.

What did you expect to happen?

When invoking an untrusted new window using "var newWindow = window.open()", set "newWindow.opener=null" before setting "newWindow.location" to a potentially untrusted site, such that when the new site is open in the new window, it has no access to its original "opener" attribute.

Reproduction URL

https://jsfiddle.net/rstoenescu/a2cuzods

How to reproduce?

  1. Go to the provided URL.
  2. Open the CDN url of Quasar (https://cdn.jsdelivr.net/npm/quasar@2/dist/quasar.umd.prod.js).
Image

Search for "window.open()" in the file content.

Flavour

UMD

Areas

SPA Mode

Platforms/Browsers

Chrome

Quasar info output



Relevant log output




Additional context


No response

      		
    

      
  





        



            

              
            

        

      


      
    








      

    



      

  
            


    

    

      
    

    


      

          @github-actions
github-actions
bot



            added
      

  bug/1-repro-available

  A reproduction is available and needs to be confirmed.

      

  flavour/umd


      

  mode/spa


  labels


      Feb 13, 2025

    

  












  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    bug/1-repro-available

  A reproduction is available and needs to be confirmed.
  

    flavour/umd

  

    kind/bug 🐞

  

    mode/spa

  

    Qv2 🔝

  Quasar v2 issues








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          
  

    

      

        
          

            
    

    Development
  




              
    
No branches or pull requests







        
      

    

  


      

    

  
      

  

    

      1 participant
    

    

        
          @Sai12-34-1