Platform
nodejs
Component
smartbanner.js
Fixed in
1.14.2
1.14.1
CVE-2025-25300 describes a relnoopener vulnerability within the smartbanner.js library. This flaw allows a malicious third-party website linked from the 'View' button to potentially exploit the window.opener property, leading to redirection or injection attacks on the original page. The vulnerability affects versions prior to 1.14.1, and a patch is available in version 1.14.1.
The core impact of CVE-2025-25300 lies in the exposure of the window.opener property. When a user clicks the 'View' link provided by smartbanner.js and navigates to a third-party website, the original page retains a reference to the new page through window.opener. A malicious website can then leverage this reference to redirect the user to a phishing site, inject malicious scripts into the original page, or perform other unauthorized actions. This could lead to data theft, account compromise, or further exploitation of the user's system.
CVE-2025-25300 has a LOW CVSS score and is not currently known to be actively exploited. Public proof-of-concept exploits are not widely available. The vulnerability was disclosed on 2019-09-13 and published on the NVD. While the risk is relatively low, the potential for abuse warrants attention, especially in applications that rely heavily on third-party links.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
The primary mitigation for CVE-2025-25300 is to upgrade to smartbanner.js version 1.14.1 or later, which automatically includes the rel="noopener" attribute to links. If upgrading is not immediately feasible, a workaround involves ensuring that the 'View' link only directs users to trusted destinations, such as the Apple App Store or Google Play Store, where security measures are in place. Regularly review and update dependencies to minimize potential vulnerabilities. After upgrading, confirm the fix by inspecting the generated HTML to ensure the rel="noopener" attribute is present on the 'View' link.
Actualice la biblioteca smartbanner.js a la versión 1.14.1 o superior. Si no puede actualizar, asegúrese de que el enlace 'View' solo dirija a App Store o Google Play Store. Para versiones anteriores a Safari 12.1, considere limitar el uso de smartbanner.js en iOS si el enlace 'View' dirige a una página de terceros.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-25300 is a LOW severity vulnerability in smartbanner.js where clicking the 'View' link exposes window.opener, potentially allowing redirection or injection attacks.
You are affected if you are using smartbanner.js versions prior to 1.14.1 and the 'View' link leads to third-party websites.
Upgrade to smartbanner.js version 1.14.1 or later, which automatically includes the rel="noopener" attribute. Alternatively, ensure the 'View' link only leads to trusted app stores.
Currently, there are no confirmed reports of CVE-2025-25300 being actively exploited, but the potential for abuse exists.
Refer to the official smartbanner.js documentation and related security advisories for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.