CVE-2020-7741

Name of the Vulnerable Software and Affected Versions hellojs versions prior to 1.18.6 hello.js versions prior to 1.18.6

Description The issue arises from the package getting the oauth redirect parameter from the URL and passing it to location.assign without proper checks and sanitization. This allows for the injection of XSS payloads into the oauth redirect URL parameter, such as javascript:alert(1).

Recommendations For versions prior to 1.18.6, update to version 1.18.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the oauth redirect parameter in the affected URL until a patch is available.