AngularJS - Denial of Service attack through DOM clobbering on versions under 1.6.3
Impact area
Security
Severity
High
Affected element
ServiceNow
UI Script
Salesforce
Static Resource
Rule number
SN-JSL-007 (for ServiceNow)
SF-JSL-007 (for Salesforce)
Impact
An XSS attack via DOM "clobbering" (attempting to insert malicious DOM elements) could result in the browser hanging when $sanitize attempts to traverse the HTML, as the clobbered elements cause $sanitize to go into an infinite loop. While the XSS attack is prevented, the browser will hang, resulting in a Denial of Service situation.
Remediation
Update AngularJS to the latest version.
Time to fix
30 min
References
This rule is linked to Common Weakness Enumeration CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').