You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
Kevin Reid edited this page Jun 1, 2016
·
1 revision
Background
For applications which used the Google API tamings (not enabled by default), the taming of the google.load function did not sanitize its arguments sufficiently.
Impact and Advice
The vulnerability allows invoking arbitrary functions on the host page that can be accessed through properties on the global object, with no arguments. The exact impact of this depends on the contents of the host page; for more information read about “reverse clickjacking”.
All users which load google.load.loaderFactory.js in their Caja deployments should upgrade to Caja
v6010 or later.
If there is a problem upgrading, it is also feasible to apply the below patch directly, but we do not recommend using old versions of Caja any longer than necessary.