reveal.js is vulnerable to cross-site scripting. The onmessage
event listener in speaker-view.html
does not properly check the origin of postMessage
before being rendered on the webpage, allowing an attacker to inject and execute malicious javascript.