CVE-2023-26487: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2023-26487 is a Cross-Site Scripting (XSS) vulnerability discovered in Vega's lassoAppend function. The issue was disclosed on March 1, 2023, affecting Vega versions below 5.23.0 and vega-functions versions below 5.13.1. The vulnerability exists because the lassoAppend function doesn't enforce proper type checking of its arguments, which allows attackers to specify any object with a push function as the first argument (GitHub Advisory).

The vulnerability stems from the lassoAppend function's implementation where it doesn't properly validate input types. The function accepts three arguments and internally invokes the push function on the first argument, specifying an array consisting of the second and third arguments as the push call argument. Since the type of the first argument isn't enforced to be an array, attackers can specify any object with a push function, potentially accessing functions via event.view (GitHub Advisory).

The vulnerability opens various XSS vectors, with the exact impact and severity depending on the environment. In certain environments, such as those using Core JS setImmediate polyfill, the vulnerability could potentially allow eval-like functionality, leading to arbitrary code execution (GitHub Advisory).

The vulnerability has been patched in Vega version 5.23.0 and vega-functions version 5.13.1. Users are advised to upgrade to these versions or later to address the security issue. The fix includes proper type checking and array spread instead of push operations (GitHub Release).