CVE-2024-53386: 
JavaScript vulnerability analysis and mitigation

Stage.js through version 0.8.10 contains a DOM Clobbering vulnerability that can lead to Cross-Site Scripting (XSS). The vulnerability exists because document.currentScript lookup can be shadowed by attacker-injected HTML elements, allowing for untrusted input that contains HTML (but does not directly contain JavaScript) to be executed (MITRE CVE).

The vulnerability stems from the library's use of document.currentScript within the getScriptSrc function to obtain the base URL for script resources. The implementation is vulnerable to DOM Clobbering attacks where document.currentScript lookup can be shadowed by attacker-injected HTML elements through the browser's named DOM access mechanism. This allows an attacker to control the URL used for script loading, potentially enabling the loading of scripts from an attacker's server. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.9 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N (MITRE CVE, GitHub POC).

When successfully exploited, this vulnerability can lead to cross-site scripting (XSS) attacks on web pages where scriptless attacker-controlled HTML elements are present. The impact is particularly significant for websites that allow user-controlled content to be embedded, as attackers could potentially execute arbitrary code in the context of the victim's browser session (GitHub POC).

The vulnerability affects Stage.js versions through 0.8.10. Users should update to a patched version when available. In the meantime, careful validation and sanitization of user input should be implemented to prevent HTML injection that could lead to DOM Clobbering attacks (MITRE CVE).