Name of the Vulnerable Software and Affected Versions jquery-mobile versions (affected versions not specified)

Description The issue concerns a Cross-Site Scripting problem. It arises because the package checks the location.hash for content and, upon finding a URL, performs an XmlHttpRequest to the URL. The response is then rendered using innerHTML without properly validating the Content-Type of the response. This allows attackers to inject malicious payloads as part of query parameters, which are then reflected back to the user. For example, a response like {"q":"<iframe/src='javascript:alert(1)'></iframe>","results":[]} would be parsed as HTML, leading to the execution of the JavaScript payload.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.