loader gif

JavaScript library caused a cross-site scripting vulnerability on Google Search

JavaScript library caused a cross-site scripting vulnerability on Google Search
  • Closure is a JavaScript library made open-source by Google and is used in many of the company’s applications such as Google Search, Gmail, Google Maps among others.
  • The library did not correctly sanitize user input which resulted in the cross-site scripting (XSS) flaw.

An XSS flaw has been discovered in a JavaScript library implemented in Google Search. The library, known as Closure, is used for building complex and scalable web applications. It is an open-source library developed and maintained by Google. The flaw was uncovered by security researcher Masato Kinugawa two days ago.

Luckily, a formal fix has been released on GitHub which remediates the XSS flaw.

Worth noting

  • The vulnerability was spotted back in 2018 and was actually addressed by Google in February this year.
  • It was the result of a missing data sanitization feature in HTML, which was removed due to user interface issues.
  • Attackers could have conducted phishing campaigns as well as launched XSS attacks by exploiting the flaw.
  • On top of affecting Google Search, it is also believed that this XSS flaw is impacting other applications which use the same library.

Why it matters?

A video by LiveOverFlow details the vulnerability in depth and its cause. It notes how untrusted user inputs could lead to a live XSS attack. In addition, LiveOverFlow said that the flaw could be exploited in other applications that use Closure Library.

On the other hand, Masato Kinugawa is yet to release more details on the flaw. “It’s unclear if Google has awarded a bug bounty for this vulnerability. SecurityWeek has reached out to Masato Kinugawa for additional information and will update this article if the researcher responds,” Eduard Kovacs wrote on SecurityWeek.

loader gif