auth0-js has cross-origin resource sharing (CORS) vulnerability . It does not perform origin verification and uses a popup callback page with auth0.popup.callback()
, allowing the attackers to get access the tokens of logged-in users by using unrestricted cross-origin post message requests. The attackers can then invoke the services on behalf of the user.