Steps to Reproduce
This Cross-Site Scripting (XSS) exploit is present in all public versions of AngularJS. It is present only with the Internet Explorer browser, which has a bug in its page caching when dealing with textareas. A malicious actor can insert dangerous code that the browser will execute thereby giving access to data or script function (the attacker tricks the application or site into accepting a request as though it was from a trusted source). A proof of concept demonstrating this exploit is available on StackBlitz.
Addressing the Issue
Users of the Internet Explorer browser are vectors of this potential exploit when using all public AngularJS versions. Developers can escape their code (see below) to prevent this sort of attack and should still upgrade to a version of the library with the fix.
Learning and Prevention
In general, XSS exploits are best avoided by escaping content that isn’t from a trusted source. Escaping can be done by libraries that specialize in this function. Using HTML for an example, they will take a < and > code them as < and >. Performing this transformation prevents code from being executed in locations where it can cause harm.
Conclusion
HeroDevs clients were notified to upgrade immediately upon the release of version 1.9.0. If you would like the peace-of-mind that comes from a HeroDevs Never-Ending Support subscription, contact our sales team today.
Resources
NIST 2022-25869 entry