CVE-2024-47068: 
JavaScript vulnerability analysis and mitigation

Rollup, a JavaScript module bundler, was found to contain a DOM Clobbering vulnerability in versions prior to 2.79.2, 3.29.5, and 4.22.4. The vulnerability affects scripts bundled with properties from import.meta (e.g., import.meta.url) in cjs/umd/iife format (GitHub Advisory).

The vulnerability stems from improper handling of document.currentScript lookups in the bundled output. When bundling scripts that use import.meta properties, Rollup replaces these with URLs retrieved from document.currentScript. However, this implementation is vulnerable to DOM Clobbering attacks where an attacker can shadow the document.currentScript lookup through the browser's named DOM tree element access mechanism. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

The vulnerability can lead to cross-site scripting (XSS) attacks in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. This allows attackers to potentially load scripts from attacker-controlled servers by manipulating the src attribute of the controlled element (GitHub Advisory).

The vulnerability has been patched in versions 2.79.2, 3.29.5, and 4.22.4. The fix includes adding type checking to prevent DOM Clobbering attacks by verifying that document.currentScript is actually a script element using tagName.toUpperCase() === 'SCRIPT' check (GitHub Advisory).