Mapbox: Stored XSS | | IE 11 | Styles name

ID H1:763812
Type hackerone
Reporter renekroka
Modified 2020-01-21T15:09:30


On December 24, 2019, user @renekroka reported a stored XSS injection vulnerability on that affected users in Internet Explorer 11. An attacker could store XSS injections on Mapbox servers, and then exploit them in IE11 due to JSON responses not including the X-Content-Type-Options: nosniff header.

Using the information provided by the researcher, we deployed a patch to Mapbox servers on January 8, 2020. This patch added the X-Content-Type-Options: nosniff and X-Frame-Options: deny to Styles API JSON responses.