AngularJS - Denial of Service attack through DOM clobbering on versions under 1.6.3

Rule number

SN-JSL-007 (for ServiceNow)

SF-JSL-007 (for Salesforce)

Impact

An XSS attack via DOM "clobbering" (attempting to insert malicious DOM elements) could result in the browser hanging when $sanitize attempts to traverse the HTML, as the clobbered elements cause $sanitize to go into an infinite loop. While the XSS attack is prevented, the browser will hang, resulting in a Denial of Service situation.

Remediation

Update AngularJS to the latest version.

Time to fix

30 min

References

This rule is linked to Common Weakness Enumeration CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').