When the share control of a mapbox.js map is clicked, arbitrary script content will execute if a malicious user has injected script content into the name property of TileJSON data.
- Mapbox.js v2.2.3 and earlier
- Mapbox.js v1.6.4 and earlier
Only specific usage is vulnerable. You are vulnerable to this issue if all of the following conditions are true:
- You are using a mapbox.js map (
L.mapbox.map) with a share control (
- You are loading untrusted external TileJSON
- A malicious user has access to the TileJSON and modifies the name property to contain script content
- The share control is clicked by a user
Such usage is uncommon.
L.mapbox.shareControl is not automatically added to mapbox.js maps and must be explicitly added.
The following usage scenarios are not vulnerable:
- The map does not use a share control (
- Only trusted TileJSON content is loaded
How to fix
Upgrade to Mapbox.js version 2.2.4. If you are still using a 1.x version and unable to upgrade to 2.2.4, upgrade to 1.6.6.
If you are unable to upgrade to either 2.2.4 or 1.6.6, you can also remove any share controls (
L.mapbox.shareControl) from your maps.
Abdullah Ahmet Erdem