Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix https://npmjs.com/advisories/1039 #2746

Closed
danfuzz opened this issue Aug 26, 2019 · 8 comments
Closed

Fix https://npmjs.com/advisories/1039 #2746

danfuzz opened this issue Aug 26, 2019 · 8 comments

Comments

@danfuzz
Copy link

danfuzz commented Aug 26, 2019
edited
Loading

Steps for Reproduction:

  1. npm install quill
  2. npm audit

Expected behavior:

No security advisory.

Actual behavior:

Security advisory: https://npmjs.com/advisories/1039

Overview
All versions of quill are vulnerable to Reverse Tabnapping. The package uses
target='_blank' in anchor tags, allowing attackers to access window.opener for
the original page when opening links. This is commonly used for phishing
attacks.

Remediation
No fix is currently available. Consider using an alternative package until a fix is
made available.

Platforms:

N/A

Version:

"All versions" per the advisory.

Additional Notes:

If at all possible, please release / publish fixes for both 1.2.* and 1.3.*. Thanks for your consideration.
@brickfungus brickfungus mentioned this issue Aug 27, 2019
Open
@jvhoven
Copy link

jvhoven commented Sep 3, 2019
edited
Loading

Related pull request #2674.

@jhchen
Copy link
Member

jhchen commented Sep 10, 2019

Fixed in https://github.com/quilljs/quill/releases/tag/v1.3.7

@jhchen jhchen closed this as completed Sep 10, 2019
@NagarajuGaddam1
Copy link

NagarajuGaddam1 commented Sep 17, 2019
edited
Loading

Steps for Reproduction:

  1. npm install quill
  2. npm audit

Expected behavior:

No security advisory.

Actual behavior:

Security advisory: https://npmjs.com/advisories/1039

Overview
All versions of quill are vulnerable to Reverse Tabnapping. The package uses
target='_blank' in anchor tags, allowing attackers to access window.opener for
the original page when opening links. This is commonly used for phishing
attacks.

Remediation
No fix is currently available. Consider using an alternative package until a fix is
made available.

Platforms:

N/A

Version:

"All versions" per the advisory.

Additional Notes:

If at all possible, please release / publish fixes for both 1.2.* and 1.3.*. Thanks for your consideration.

is it fixed in 1.3.6 or 1.3.7? i tried both but still shows the same issue can you please help me here.

@d4l-w4r
Copy link
Contributor

d4l-w4r commented Sep 17, 2019

@NagarajuGaddam1 the issue has been fixed with release version 1.3.7.
Make sure you add "quill": "^1.3.7" to your dependencies in package.json and run an npm install.
Or just npm audit fix

@NagarajuGaddam1
Copy link

@danielw93 : Thanks for your reply, Actually i am using "ngx-quill-editor": "2.2.2" and it is dependent on 1.3.6 is there any chance we can fix this in 1.3.6?

@udanpe
Copy link

udanpe commented Sep 17, 2019

@NagarajuGaddam1 ngx-quill-editor have "quill": "^1.3.1" just run npm remove ngx-quill-editor --save && npm install ngx-quill-editor --save or remove node_modules and package_lock.json and run npm install. Old versions cant be changed

@NagarajuGaddam1
Copy link

NagarajuGaddam1 commented Sep 18, 2019 via email

@bobitza
Copy link

bobitza commented Feb 21, 2022

GHSA-4943-9vgg-gr5r still on 1.3.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jhchen @danfuzz @bobitza @d4l-w4r @jvhoven @udanpe @NagarajuGaddam1