- The library did not correctly sanitize user input which resulted in the cross-site scripting (XSS) flaw.
Luckily, a formal fix has been released on GitHub which remediates the XSS flaw.
- The vulnerability was spotted back in 2018 and was actually addressed by Google in February this year.
- It was the result of a missing data sanitization feature in HTML, which was removed due to user interface issues.
- Attackers could have conducted phishing campaigns as well as launched XSS attacks by exploiting the flaw.
- On top of affecting Google Search, it is also believed that this XSS flaw is impacting other applications which use the same library.
Why it matters?
A video by LiveOverFlow details the vulnerability in depth and its cause. It notes how untrusted user inputs could lead to a live XSS attack. In addition, LiveOverFlow said that the flaw could be exploited in other applications that use Closure Library.
On the other hand, Masato Kinugawa is yet to release more details on the flaw. “It’s unclear if Google has awarded a bug bounty for this vulnerability. SecurityWeek has reached out to Masato Kinugawa for additional information and will update this article if the researcher responds,” Eduard Kovacs wrote on SecurityWeek.