Use of Web Link to Untrusted Target with window.opener Access in hfs

Q: How to fix?

Upgrade hfs to version 0.57.10-beta1 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-HFS-11787824
published13 Aug 2025
disclosed12 Aug 2025
creditByteAfterlife

Report a new vulnerability Found a mistake?

Introduced: 12 Aug 2025

NewCWE-1022 (opens in a new tab)

How to fix?

Upgrade hfs to version 0.57.10-beta1 or higher.

Overview

hfs is a HTTP File Server

Affected versions of this package are vulnerable to Use of Web Link to Untrusted Target with window.opener Access via the openFileMenu function in the fileMenu.ts file. An attacker can manipulate the content of the original browser tab by exploiting the window.opener property after a user clicks a crafted external link, potentially leading to credential theft or exposure of sensitive information.

Note: This is only exploitable if users access the application using outdated browsers that do not mitigate this issue at the browser level.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Use of Web Link to Untrusted Target with window.opener Access Affecting hfs package, versions <0.57.10-beta1

Severity