CVE-2025-25300

Name of the Vulnerable Software and Affected Versions smartbanner.js versions prior to 1.14.1

Description The issue concerns a Cross-Origin Window Reference Vulnerability. When a user clicks on the View link in the smartbanner and navigates to a third-party page, it leaves the window.opener exposed. This exposure may allow hostile third parties to abuse the window.opener by redirection or injection on the original page with the smartbanner. To resolve this, rel="noopener" is automatically added to links as of version 1.14.1, which is a recommended upgrade. For those who cannot upgrade, ensuring the View link only takes users to the App Store or Google Play Store, where security is managed by the respective app store security teams, can mitigate the issue. Alternatively, limiting the use of smartbanner.js to iOS decreases the scope of the vulnerability, as Safari 12.1 and later impose rel="noopener" on all target=" blank" links.

Recommendations For versions prior to 1.14.1, upgrade to version 1.14.1 to resolve the vulnerability. As a temporary workaround, consider ensuring the View link is only used to direct users to the App Store or Google Play Store. If the View link must be used to direct users to a third-party page, limit the use of smartbanner.js to iOS to decrease the vulnerability's scope. Consider using the smartbanner meta tags to limit the use of smartbanner.js on specific platforms, such as setting <meta name="smartbanner:enabled-platforms" content="none"> and <meta name="smartbanner:include-user-agent-regex" content="Mobile.*Safari"> to only allow its use on Safari for iOS.