CVE-2023-26487

Name of the Vulnerable Software and Affected Versions Vega versions prior to 5.23.0

Description The lassoAppend function in Vega accepts 3 arguments and internally invokes the push function on the 1st argument, specifying an array consisting of the 2nd and 3rd arguments as the push call argument. The type of the 1st argument is supposed to be an array, but it's not enforced, making it possible to specify any object with a push function as the 1st argument. The push function can be set to any function that can be accessed via event.view, such as console.log. This issue opens various XSS vectors, but the exact impact and severity depend on the environment. For example, the Core JS setImmediate polyfill basically allows eval-like functionality.

Recommendations For versions prior to 5.23.0, update to version 5.23.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the lassoAppend function to minimize the risk of exploitation. Avoid using the push function on untrusted objects, and ensure that the event.view object is properly sanitized to prevent access to sensitive functions.