DerScanner
Home / Vulnerability Database / JavaScript : Cross-domain requests allowed for JQuery Mobile
JavaScript

JavaScript : Cross-domain requests allowed for JQuery Mobile

Classification

OWASP Top 10 2017
A7-Cross-Site Scripting (XSS)
OWASP Top 10 2021
A3-InjectionA4-Insecure Design
CWE
CWE-183CWE-942

Overview

Cross-domain requests are allowed for JQuery Mobile.

When jQuery Mobile attempts to load an external page, the request runs through $.mobile.loadPage(). Because the jQuery Mobile framework tracks what page is being viewed within the browser location hash, it is possible for a cross-site scripting (XSS) attack to occur if the XSS code in question can manipulate the hash and set it to a cross-domain URL of its choice. This is the main reason that the default setting for $.mobile.allowCrossDomainPages is set to false.

References

  1. Building PhoneGap apps with jQuery Mobile
  2. Types of Cross-Site Scripting – OWASP
  3. CWE-942: Permissive Cross-domain Policy with Untrusted Domains
  4. OWASP: XSS Prevention Cheat Sheet
  5. OWASP Top 10-2017 A7-Cross-Site Scripting (XSS)
MEDIUM

DerScanner Severity Score

Do you want to fix JavaScript : Cross-domain requests allowed for JQuery Mobile in your application?

See also

JavaScript

JavaScript : Null salt

JavaScript

JavaScript : Empty encryption key

JavaScript

JavaScript : Unsafe Azure access control