1.14.2
1.14.1
CVE-2025-25300 describes a relnoopener vulnerability within the smartbanner.js library. This flaw allows a malicious third-party website linked from the 'View' button to potentially exploit the window.opener property, leading to redirection or injection attacks on the original page. The vulnerability affects versions prior to 1.14.1, and a patch is available in version 1.14.1.
The core impact of CVE-2025-25300 lies in the exposure of the window.opener property. When a user clicks the 'View' link provided by smartbanner.js and navigates to a third-party website, the original page retains a reference to the new page through window.opener. A malicious website can then leverage this reference to redirect the user to a phishing site, inject malicious scripts into the original page, or perform other unauthorized actions. This could lead to data theft, account compromise, or further exploitation of the user's system.
CVE-2025-25300 has a LOW CVSS score and is not currently known to be actively exploited. Public proof-of-concept exploits are not widely available. The vulnerability was disclosed on 2019-09-13 and published on the NVD. While the risk is relatively low, the potential for abuse warrants attention, especially in applications that rely heavily on third-party links.
Applications and websites that utilize the smartbanner.js library to provide links to app stores or other third-party resources are at risk. This includes mobile app promotion websites, landing pages, and any application that integrates smartbanner.js for user acquisition or referral purposes. Legacy applications using older versions of the library are particularly vulnerable.
• nodejs: Inspect application code for usage of smartbanner.js and check the version being used.
npm list smartbanner.js• generic web: Examine the generated HTML source code of pages using smartbanner.js to verify the presence of rel="noopener" on the 'View' link.
curl 'https://example.com/page-with-smartbanner' | grep 'rel="noopener"'disclosure
エクスプロイト状況
EPSS
0.13% (32% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2025-25300 is to upgrade to smartbanner.js version 1.14.1 or later, which automatically includes the rel="noopener" attribute to links. If upgrading is not immediately feasible, a workaround involves ensuring that the 'View' link only directs users to trusted destinations, such as the Apple App Store or Google Play Store, where security measures are in place. Regularly review and update dependencies to minimize potential vulnerabilities. After upgrading, confirm the fix by inspecting the generated HTML to ensure the rel="noopener" attribute is present on the 'View' link.
smartbanner.js ライブラリをバージョン 1.14.1 以降にアップデートしてください。アップデートできない場合は、'View' リンクが App Store または Google Play Store のみに誘導するようにしてください。Safari 12.1 以前のバージョンでは、'View' リンクがサードパーティのページに誘導される場合に、smartbanner.js の iOS への使用を限定することを検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-25300 is a LOW severity vulnerability in smartbanner.js where clicking the 'View' link exposes window.opener, potentially allowing redirection or injection attacks.
You are affected if you are using smartbanner.js versions prior to 1.14.1 and the 'View' link leads to third-party websites.
Upgrade to smartbanner.js version 1.14.1 or later, which automatically includes the rel="noopener" attribute. Alternatively, ensure the 'View' link only leads to trusted app stores.
Currently, there are no confirmed reports of CVE-2025-25300 being actively exploited, but the potential for abuse exists.
Refer to the official smartbanner.js documentation and related security advisories for detailed information and updates.