> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > CVE-2017-17068: Security Update for auth0.js Popup Callback Vulnerability # CVE-2017-17068: Security Update for auth0.js Popup Callback Vulnerability **Published**: December 4, 2017 **CVE number**: CVE-2017-17068 **Credit**: [@AppCheckNG](https://x.com/AppCheckNG) ## Overview A vulnerability has been identified in the [Auth0.js](/docs/libraries/auth0js) JavaScript library, affecting versions \< `8.12`. If your site or application uses a popup callback page with `auth0.popup.callback()` then an attacker can take advantage of unrestricted cross-origin post message requests and gain access to the tokens of logged-in users. A malicious website could then use any acquired Access Tokens to invoke services on behalf of the user. This update addresses the vulnerability by implementing origin verification so the message cannot be posted to a page that is not in a specified domain. If no domain is specified, only the domain where the callback page is hosted is allowed. An attacker would receive a cross-origin request error. Patching this vulnerability requires a library upgrade. ## Am I affected? If the following apply you are affected by this vulnerability: * You use a version of auth0.js lower than `8.12` * You use a popup callback page with `auth0.popup.callback()` in your code ## How to fix that? Developers using the auth0.js library need to upgrade to the latest version: `8.12`. Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your `package.json` file is updated to take patch and minor level updates of our libraries. ```json lines theme={null} { "dependencies": { "auth0-js": "^8.12.0" } } ``` ### Will this update impact my users? No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.