Hello.Js · Hellojs · CVE-2020-7741
**Name of the Vulnerable Software and Affected Versions**
hellojs versions prior to 1.18.6
hello.js versions prior to 1.18.6
**Description**
The issue arises from the package getting the `oauth redirect` parameter from the URL and passing it to `location.assign` without proper checks and sanitization. This allows for the injection of XSS payloads into the `oauth redirect` URL parameter, such as `javascript:alert(1)`.
**Recommendations**
For versions prior to 1.18.6, update to version 1.18.6 or later to resolve the issue.
As a temporary workaround, consider restricting the use of the `oauth redirect` parameter in the affected URL until a patch is available.