CVE-2023-41049: 
JavaScript vulnerability analysis and mitigation

@dcl/single-sign-on-client, an open source npm library for single sign-on authentication flows, was found to contain a vulnerability (CVE-2023-41049) related to improper input validation. The vulnerability was discovered and disclosed on August 31, 2023, affecting all versions prior to 0.1.0. The issue exists in the init function of the library, which fails to properly validate input, potentially allowing arbitrary JavaScript execution (GitHub Advisory).

The vulnerability stems from improper input validation in the init function, which allows attackers to execute arbitrary JavaScript code using the javascript: prefix. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is classified as CWE-83 (Improper Neutralization of Script in Attributes) (GitHub Advisory).

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the application using the library. This could lead to unauthorized access to sensitive information and potential compromise of the application's security (GitHub Advisory).

The vulnerability has been patched in version 0.1.0 of the library. Users are strongly advised to upgrade to this version or later. For those unable to upgrade immediately, the vulnerability can be mitigated by ensuring proper sanitization of user input before passing it to the init function or by avoiding passing user input to the function altogether (GitHub Advisory).