{
  "schema_version": "1.4.0",
  "id": "GHSA-9mrq-cjgh-32g2",
  "modified": "2025-02-18T18:27:07Z",
  "published": "2019-09-13T13:22:33Z",
  "aliases": [
    "CVE-2025-25300"
  ],
  "summary": "smartbanner.js rel noopener vulnerability",
  "details": "## rel noopener vulnerability\n\n### Impact\nClicking on smartbanner _View_ link and navigating to 3rd party page leaves `window.opener` exposed. It may allow hostile 3rd parties to abuse `window.opener`, e.g. by redirection or injection on the original page with smartbanner.\n\n### Patches\n`rel=\"noopener\"` is automatically populated to links as of `v1.14.1` which is a recommended upgrade to resolve the vulnerability.\n\n### Workarounds\nIf you can not upgrade to `v1.14.1`:\n1. Ensure _View_ link is only taking users to App Store or Google Play Store where security is guarded by respective app store security teams\n2. If _View_ link is going to a 3rd party page, limit smartbanner.js to be used on iOS that decreases the scope of the vulnerability since as of Safari 12.1,  `rel=\"noopener\"` is imposed on all `target=\"_blank\"` links.\n\n    Following combination of smartbanner meta tags can be used to achieve the above:\n\n    ```html\n    <meta name=\"smartbanner:enabled-platforms\" content=\"none\">\n    <meta name=\"smartbanner:include-user-agent-regex\" content=\"Mobile.*Safari\">\n    ```\n\n### References\n* [About rel=noopener](https://mathiasbynens.github.io/rel-noopener/)\n* [Safari 12.1 Release Notes](https://developer.apple.com/documentation/safari_release_notes/safari_12_1_release_notes#3130296)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [smartbanner.js](https://github.com/ain/smartbanner.js/issues/new)",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:U"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "smartbanner.js"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ain/smartbanner.js/security/advisories/GHSA-9mrq-cjgh-32g2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ain/smartbanner.js/commit/fce8c31dfe04033d9d005a89694d3e7a60784f89"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-9mrq-cjgh-32g2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ain/smartbanner.js"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-79"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:29:02Z",
    "nvd_published_at": null
  }
}