Security Update for auth0.js Popup Callback Vulnerability

Published: December 4, 2017

CVE number: CVE 2017-17068

Credit: @AppCheckNG

Overview

A vulnerability has been identified in the auth0.js JavaScript library, affecting versions < 8.12.

If your site or application uses a popup callback page with auth0.popup.callback() then an attacker can take advantage of unrestricted cross-origin post message requests and gain access to the tokens of logged-in users. A malicious website could then use any acquired access tokens to invoke services on behalf of the user.

This update addresses the vulnerability by implementing origin verification so the message cannot be posted to a page that is not in a specified domain. If no domain is specified, only the domain where the callback page is hosted is allowed. An attacker would receive a cross-origin request error.

Patching this vulnerability requires a library upgrade.

Am I affected?

If the following apply you are affected by this vulnerability:

  • You use a version of auth0.js lower than 8.12
  • You use a popup callback page with auth0.popup.callback() in your code

How to fix that?

Developers using the auth0.js library need to upgrade to the latest version: 8.12.

Updated packages are available on npm. To ensure delivery of additional bug fixes moving forward, please make sure your package.json file is updated to take patch and minor level updates of our libraries.

{
  "dependencies": {
    "auth0-js": "^8.12.0"
  }
}

Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.