Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that sets a map value with a function copied from the window that results in calling this.foo(this.bar) can be passed to the vlSelectionTuples function, calling the copied map function, allowing …