JS9 Security Issues

Unresolved Issues:


Resolved Issues:

  1. All platforms (October 28, 2020 : resolved)

    A carefully crafted FITS filename could be used by an attacker to execute arbitrary Javascript. If, for example, the following FITS file is loaded into JS9:

        JS9.Load("<svg onmouseover=alert(1)>.fits")
    then moving the mouse over the Statusbar plugin (where the image id is displayed) will result in the alert being triggered. Similarly, setting the id explicitly:
        JS9.Load("foo.fits", {"id": "<svg onmouseover=alert(1)>.fits"})
    will trigger the alert. This vulnerability is present in any plugin displaying the image id or filename (e.g., the Blend and Blink plugins).

    As of v3.2 (and the GitHub repository as of 10/28/2020), a check is performed to sense dangerous strings in filenames and ids, and throw an error. Patched versions of js9.js and js9.min.js for v3.1 are available:

    Thanks to Marwan Ali albahar (Umm Alqura University) for reporting this issue.

Last updated: October 28, 2020