This Cross-Site Scripting (XSS) exploit is present in all public versions of AngularJS. It is present only with the Internet Explorer browser, which has a bug in its page caching when dealing with textareas. A malicious actor can insert dangerous code that the browser will execute thereby giving access to data or script function (the attacker tricks the application or site into accepting a request as though it was from a trusted source). A proof of concept demonstrating this exploit is available on StackBlitz.
Users of the Internet Explorer browser are vectors of this potential exploit when using all public AngularJS versions. Developers can escape their code (see below) to prevent this sort of attack and should still upgrade to a version of the library with the fix.
In general, XSS exploits are best avoided by escaping content that isn’t from a trusted source. Escaping can be done by libraries that specialize in this function. Using HTML for an example, they will take a < and > code them as < and >. Performing this transformation prevents code from being executed in locations where it can cause harm.
HeroDevs clients were notified to upgrade immediately upon the release of version 1.9.0. If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.
NIST 2022-25869 entry