CVE-2024-45389: 
JavaScript vulnerability analysis and mitigation

Pagefind, a fully static search library, contains a vulnerability (CVE-2024-45389) discovered in versions prior to 1.1.1. The vulnerability relates to how Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script the user loads, using document.currentScript.src. This vulnerability was disclosed on September 3, 2024, affecting all versions of Pagefind up to (excluding) version 1.1.1 (Vendor Advisory).

The vulnerability stems from the way Pagefind handles script source location lookup through document.currentScript.src. Prior to version 1.1.1, it was possible to 'clobber' this lookup with benign HTML on the page, causing document.currentScript.src to resolve as an external domain. The vulnerability is classified as CWE-79 (Cross-site Scripting) with a CVSS v3.1 base score of 6.4 (Medium), indicating network attack vector, high attack complexity, low privileges required, and no user interaction needed (NVD).

If successfully exploited, this vulnerability could allow an attacker to escalate their privileges when they have the ability to inject HTML into a live, hosted website. While the attacker needs the capability to add certain elements to the page (such as img tags with a name attribute), they don't need the ability to add script tags, which would themselves constitute a cross-site scripting vector (Vendor Advisory).

The vulnerability has been patched in Pagefind version 1.1.1. The fix involves ensuring that the source is loaded from a valid script element by adding safety checks around accesses for document.currentScript.src. Users should upgrade to version 1.1.1 or later to address this vulnerability (GitHub Patch).