5.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-25300

GHSA ID

GHSA-9mrq-cjgh-32g2

EPSS Score

0.26845%

CWE

CWE-79

Published

9/13/2019

Updated

2/18/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-25300

CVE-2025-25300: smartbanner.js rel noopener vulnerability

rel noopener vulnerability

Impact

Clicking on smartbanner View link and navigating to 3rd party page leaves window.opener exposed. It may allow hostile 3rd parties to abuse window.opener, e.g. by redirection or injection on the original page with smartbanner.

Patches

rel="noopener" is automatically populated to links as of v1.14.1 which is a recommended upgrade to resolve the vulnerability.

Workarounds

If you can not upgrade to v1.14.1:

Ensure View link is only taking users to App Store or Google Play Store where security is guarded by respective app store security teams
If View link is going to a 3rd party page, limit smartbanner.js to be used on iOS that decreases the scope of the vulnerability since as of Safari 12.1, rel="noopener" is imposed on all target="_blank" links.

Following combination of smartbanner meta tags can be used to achieve the above:
```
<meta name="smartbanner:enabled-platforms" content="none">
<meta name="smartbanner:include-user-agent-regex" content="Mobile.*Safari">
```

References

For more information

If you have any questions or comments about this advisory:

Open an issue in smartbanner.js

(GitHub Advisory)

5.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-25300

GHSA ID

GHSA-9mrq-cjgh-32g2

EPSS Score

0.26845%

CWE

CWE-79

Published

9/13/2019

Updated

2/18/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
smartbanner.js	npm	< 1.14.1	1.14.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from anchor tags created without rel='noopener' in the smartbanner template. The commit fce8c31 shows the fix was adding rel='noopener' to the <a> element in src/smartbanner.js. The template generation function (likely part of SmartBanner.render) is directly responsible for creating vulnerable links. Test file updates confirm this was the only code change required to resolve the issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## r*l noop*n*r vuln*r**ility ### Imp**t *li*kin* on sm*rt**nn*r _Vi*w_ link *n* n*vi**tin* to *r* p*rty p*** l**v*s `win*ow.op*n*r` *xpos**. It m*y *llow *ostil* *r* p*rti*s to **us* `win*ow.op*n*r`, *.*. *y r**ir**tion or inj**tion on t** ori*in*l

Reasoning

T** vuln*r**ility st*ms *rom *n**or t**s *r**t** wit*out r*l='noop*n*r' in t** sm*rt**nn*r t*mpl*t*. T** *ommit ******* s*ows t** *ix w*s ***in* r*l='noop*n*r' to t** `<*>` *l*m*nt in `sr*/sm*rt**nn*r.js`. T** t*mpl*t* **n*r*tion *un*tion (lik*ly p*r

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-25300: smartbanner.js rel noopener vulnerability

rel noopener vulnerability

Impact

Patches

Workarounds

References

For more information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI