Mr-Neutr0N

**Name of the Vulnerable Software and Affected Versions** CleverTap Web SDK versions 1.15.2 and earlier **Description** The CleverTap Web SDK is susceptible to a Cross-Site Scripting (XSS) issue through the `window.postMessage` functionality. The `handleCustomHtmlPreviewPostMessageEvent` function, located in `src/util/campaignRender/nativeDisplay.js`, does not adequately validate the message origin using the `includes()` method, allowing attackers to bypass security checks by utilizing a subdomain. **Recommendations** Update CleverTap Web SDK to a version later than 1.15.2.

**Name of the Vulnerable Software and Affected Versions** CleverTap Web SDK versions 1.15.2 and earlier **Description** The CleverTap Web SDK is susceptible to a DOM-based Cross-Site Scripting (XSS) issue. This occurs due to insufficient origin validation within the Visual Builder module, specifically in the `src/modules/visualBuilder/pageBuilder.js` file (lines 56-60). The `includes()` method is used to verify the origin URL, but it can be bypassed with a crafted subdomain. The vulnerability is triggered through the `window.postMessage` function. **Recommendations** Update CleverTap Web SDK to a version later than 1.15.2.