The vulnerability arises from inadequate handling of query parameters, enabling attackers to insert javascript:
URIs as redirectors within the new.loading.page.html
file.
var redirectToLanding = function() {
var locationData = window.location.search.match(/(\?|&)redirect_to=([^&]+)(&|$)/);
if (locationData === null) {
window.location.reload(true);
} else {
window.location = decodeURIComponent(locationData[2]);
}
}
When the URL’s query is ?redirect_to=javascript:alert("XSS")
, locationData[2]
equals 'javascript:alert("XSS")'
. Subsequently, triggering redirectToLanding
leads to XSS exploitation.
Attackers can inject javascript: URIs to execute unauthorized scripts, potentially stealing sensitive information such as session cookies or performing actions on behalf of the user.