GMS-2019-143: Reverse Tabnapping in swagger-ui

June 20, 2019 (updated August 16, 2021)

Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page. This is commonly used for phishing attacks.

Recommendation

Upgrade to version 3.18.0 or later.

References

github.com/advisories/GHSA-x9p2-fxq6-2m5f
github.com/swagger-api/swagger-ui/commit/3f4cae3334fdd492a373f4453bd03a9ebd87becf
github.com/swagger-api/swagger-ui/pull/4789
github.com/swagger-api/swagger-ui/releases/tag/v3.18.0
snyk.io/vuln/SNYK-JS-SWAGGERUI-449808
www.npmjs.com/advisories/975

Code Behaviors & Features

Detect and mitigate GMS-2019-143 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →