Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU4OG0tOXFnNS0zNXBx
Reverse Tabnabbing in quill
Versions of quill prior to 1.3.7 are vulnerable to Reverse Tabnabbing. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-588m-9qg5-35pqJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU4OG0tOXFnNS0zNXBx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-588m-9qg5-35pq
References:
- https://github.com/quilljs/quill/issues/2438
- https://github.com/quilljs/quill/pull/2674
- https://www.npmjs.com/advisories/1039
- https://github.com/advisories/GHSA-588m-9qg5-35pq
Blast Radius: 29.6
Affected Packages
npm:quill
Dependent packages: 2,158Dependent repositories: 35,962
Downloads: 5,362,054 last month
Affected Version Ranges: < 1.3.7
Fixed in: 1.3.7
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.1.5, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.19.7, 0.19.8, 0.19.10, 0.19.11, 0.19.12, 0.19.14, 0.20.0, 0.20.1, 1.0.0, 1.0.2, 1.0.3, 1.0.4, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6
All unaffected versions: 1.3.7, 2.0.0, 2.0.1