Quill: Fix https://npmjs.com/advisories/1039

Created on 27 Aug 2019 · 7Comments · Source: quilljs/quill

Steps for Reproduction:

npm install quill
npm audit

Expected behavior:

No security advisory.

Actual behavior:

Security advisory: https://npmjs.com/advisories/1039

All versions of quill are vulnerable to Reverse Tabnapping. The package uses
target='_blank' in anchor tags, allowing attackers to access window.opener for
the original page when opening links. This is commonly used for phishing
attacks.

Remediation
No fix is currently available. Consider using an alternative package until a fix is
made available.

Platforms:

N/A

Version:

"All versions" per the advisory.

Additional Notes:

If at all possible, please release / publish fixes for both 1.2.* and 1.3.*. Thanks for your consideration.

Source

danfuzz

👍8

Most helpful comment

Fixed in https://github.com/quilljs/quill/releases/tag/v1.3.7

jhchen on 10 Sep 2019

👍2 ❤1

All 7 comments

Related pull request #2674.

jvhoven on 3 Sep 2019

Fixed in https://github.com/quilljs/quill/releases/tag/v1.3.7

jhchen on 10 Sep 2019

👍2 ❤1

Steps for Reproduction:

npm install quill

npm audit

Expected behavior:

No security advisory.

Actual behavior:

Security advisory: https://npmjs.com/advisories/1039
All versions of quill are vulnerable to Reverse Tabnapping. The package uses
target='_blank' in anchor tags, allowing attackers to access window.opener for
the original page when opening links. This is commonly used for phishing
attacks.

Remediation
No fix is currently available. Consider using an alternative package until a fix is
made available.
Platforms:

N/A

Version:

"All versions" per the advisory.

Additional Notes:

If at all possible, please release / publish fixes for both 1.2.* and 1.3.*. Thanks for your consideration.

is it fixed in 1.3.6 or 1.3.7? i tried both but still shows the same issue can you please help me here.

NagarajuGaddam1 on 17 Sep 2019

@NagarajuGaddam1 the issue has been fixed with release version 1.3.7.
Make sure you add "quill": "^1.3.7" to your dependencies in package.json and run an npm install.
Or just npm audit fix

danielw93 on 17 Sep 2019

@danielw93 : Thanks for your reply, Actually i am using "ngx-quill-editor": "2.2.2" and it is dependent on 1.3.6 is there any chance we can fix this in 1.3.6?

NagarajuGaddam1 on 17 Sep 2019

@NagarajuGaddam1 ngx-quill-editor have "quill": "^1.3.1" just run npm remove ngx-quill-editor --save && npm install ngx-quill-editor --save or remove node_modules and package_lock.json and run npm install. Old versions cant be changed

udanpe on 17 Sep 2019

👍1

Still with 1.3.7 also it is showing the same reverse tabbing issue.

Can you please suggest what I missed here.

Nagaraju

On Tue, Sep 17, 2019, 2:47 PM Daniel Waller notifications@github.com
wrote:

@NagarajuGaddam1 https://github.com/NagarajuGaddam1 the issue has been
fixed with release version 1.3.7.
Make sure you add "quill": "^1.3.7" to your dependencies in package.json
and run an npm install.
Or just npm audit fix

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/quilljs/quill/issues/2746?email_source=notifications&email_token=AE44UNAEDBMN2BXZJC7EMEDQKCOBJA5CNFSM4IPYBB32YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD634BPA#issuecomment-532136124,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AE44UNAJQG7PMY4C4ZLKI3TQKCOBJANCNFSM4IPYBB3Q
.