CVE-2021-29489: 
JavaScript vulnerability analysis and mitigation

Highcharts JS, a JavaScript charting library based on SVG, contained a cross-site scripting (XSS) vulnerability in versions 8 and earlier (CVE-2021-29489). The vulnerability was discovered when the chart options structure was not systematically filtered for XSS vectors. The issue was patched in version 9 (GitHub Advisory).

The vulnerability existed because HTML string options would be inserted unfiltered directly into the DOM, especially when using the useHTML flag. Even when useHTML was false, malicious code could be inserted through various character replacement tricks or malformed HTML. The vulnerability received a CVSS v3.1 base score of 5.4 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, the vulnerability could allow content from untrusted sources to execute code in the end user's browser. If chart configuration came from untrusted sources, attackers could potentially inject malicious markup leading to XSS attacks (GitHub Advisory).

The vulnerability was patched in Highcharts version 9, where the entire rendering layer was refactored to use a DOMParser, an AST, and tag and HTML allow-listing to ensure only safe content entered the DOM. For users unable to upgrade, a workaround was provided to apply DOMPurify recursively to the options structure to filter out malicious markup (GitHub Advisory, NetApp Advisory).