CVE-2020-10544: 
JavaScript vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in tooltip/tooltip.js component of PrimeTek PrimeFaces version 7.0.11. The vulnerability was identified on March 13, 2020, and assigned identifier CVE-2020-10544. The issue affects web applications using PrimeFaces where an attacker can inject JavaScript code in input fields that are later used as tooltip titles without proper input validation (MITRE CVE, NVD).

The vulnerability exists in the bindTarget function within the tooltip/tooltip.js component. The issue stems from insufficient input validation when processing tooltip titles. The security flaw is similar to a previous issue that was fixed in the bindGlobal function through PR #4394, where the escape configuration parameter was not properly implemented (GitHub Issue).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who view the malicious tooltip. This can lead to theft of sensitive information, session hijacking, or other client-side attacks (MITRE CVE).

The suggested fix involves adding the line 'this.cfg.escape = (this.cfg.escape === undefined) ? true : this.cfg.escape;' at the top of the bindTarget function, similar to the solution implemented for the bindGlobal function (GitHub Issue).