GMS-2020-726: Cross-Site Scripting in google-closure-library

September 2, 2020 (updated September 27, 2021)

Versions of google-closure-library prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The safedomtreeprocessor.processToString() function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting.

Recommendation

Upgrade to version 20190301.0.0 or later.

References

github.com/advisories/GHSA-r9q4-w3fm-wrm2
github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa
snyk.io/vuln/SNYK-JS-GOOGLECLOSURELIBRARY-174519
www.npmjs.com/advisories/878

Code Behaviors & Features

Detect and mitigate GMS-2020-726 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →