Azasypkin

**Name of the Vulnerable Software and Affected Versions** Vega versions prior to 5.23.0 **Description** The `lassoAppend` function in Vega accepts 3 arguments and internally invokes the `push` function on the 1st argument, specifying an array consisting of the 2nd and 3rd arguments as the `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced, making it possible to specify any object with a `push` function as the 1st argument. The `push` function can be set to any function that can be accessed via `event.view`, such as `console.log`. This issue opens various XSS vectors, but the exact impact and severity depend on the environment. For example, the Core JS `setImmediate` polyfill basically allows `eval`-like functionality. **Recommendations** For versions prior to 5.23.0, update to version 5.23.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `lassoAppend` function to minimize the risk of exploitation. Avoid using the `push` function on untrusted objects, and ensure that the `event.view` object is properly sanitized to prevent access to sensitive functions.