CVE-2018-25058: Twitter-Post-Fetcher vulnerable to Use of Web Link to Untrusted Target with window.opener Access
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.15427%
CWE
Published
12/29/2022
Updated
2/2/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
twitter-fetcher-js | npm | < 18.0.0 | 18.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing rel="noopener" attributes when setting target="_blank". The commit patching this vulnerability specifically modifies two areas: 1) The targetLinksToNewWindow function that processes all links, and 2) The HTML template literals generating interaction buttons. Both locations initially created links with target="_blank" without security attributes, making them vulnerable to window.opener exploitation. The named function targetLinksToNewWindow is explicitly vulnerable, while the interaction link generation (though part of inline template construction) represents a distinct vulnerable code path that was also patched.