CVE-2021-43785: 
JavaScript vulnerability analysis and mitigation

@joeattardi/emoji-button, a Vanilla JavaScript emoji picker component, was found to contain a Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-43785. The vulnerability was discovered on November 24, 2021, and disclosed on November 26, 2021. The affected versions are those prior to 4.6.2, where malicious code could be executed through two attack vectors (GitHub Advisory).

The vulnerability stems from improper input sanitization in two specific areas: custom emoji URLs and i18n strings. In both cases, attackers could craft values that would allow the insertion of malicious script tags into the page, leading to arbitrary code execution. The vulnerability received a CVSS v3.1 base score of 6.1 (MEDIUM) from NIST and 7.6 (HIGH) from GitHub, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the user's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions within the scope of the affected web application (GitHub Lab).

The vulnerability was patched in version 4.6.2 of @joeattardi/emoji-button. The fix involves proper escaping of strings that are inserted into the HTML document. Users are strongly advised to upgrade to version 4.6.2 or later, as there are no alternative workarounds available (GitHub Advisory).