GMS-2016-44: DOM-based XSS

July 21, 2016

Three functions exposed by the Gmail.js API (not the Google Gmail API) are vulnerable to DOM-based cross site scripting. The three functions are tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post. Each one of these functions calls new Function() with user data passed as the argument.

References

github.com/KartikTalwar/gmail.js/commit/a83436f499f9c01b04280af945a5a81137b6baf1
github.com/KartikTalwar/gmail.js/issues/281

Code Behaviors & Features

Detect and mitigate GMS-2016-44 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →