<p>Upgrade <code>quill</code> to version 1.3.7 or higher.</p>

Reverse Tabnabbing Affecting quill package, versions <1.3.7

Snyk CVSS

Attack Complexity Low

User Interaction Required

Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-QUILL-460312
published 27 Aug 2019
disclosed 5 Jul 2019
credit Jonathan Lloyd

Report a new vulnerability Found a mistake?

Introduced: 5 Jul 2019

CWE-1022 Open this link in a new tab

How to fix?

Upgrade quill to version 1.3.7 or higher.

Overview

quill is a modern rich text editor built for compatibility and extensibility.

Affected versions of this package are vulnerable to Reverse Tabnabbing due to use of target='_blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks.

References

GitHub Issue
GitHub PR
Node Security Advisory