Viberank.dev Dash Analysis #53
Description
##General description
So on November 11th, we were notified by Viberank.dev about some vulnerabilities in our Dash code:
Email received:
Viberank.dev
Hi there,
We reviewed your tool Resiz and found some security areas that could strengthen user trust:
🔒 Security Insights
📋 Insecure Cross-Origin Communication (postMessage) (Severity: MEDIUM)
The embedded iframe uses `window.parent.postMessage` with `"*"` as the targetOrigin. While only non-sensitive 'embedHeight' is sent here, this pattern could lead to information disclosure or XSS if sensitive data were involved or arbitrary messages processed.
Recommendation: Specify a precise targetOrigin (e.g., `window.location.origin`) instead of `"*"` when using `postMessage` to restrict message delivery to the intended recipient.
📋 Third-party Script Risk (Severity: MEDIUM)
The webpage loads multiple scripts from third-party domains (e.g., Google, Catapulta, Hotjar, Framer). A compromise of any of these external providers could lead to malicious code injection (supply chain attack) on this website.
Recommendation: Implement Subresource Integrity (SRI) for critical third-party scripts. Regularly audit third-party script providers and monitor for suspicious activity or changes.
These are common issues that boost user trust when addressed. We'd love to feature your tool on Viberank—it's free, takes 2 minutes, and brings visibility + leaderboard placement. Plus, you'll get detailed security audits like this one for free!
[Join Viberank](https://jghecie.r.bh.d.sendibt3.com/tr/cl/vS0O_AWlIlNVsvzcFJbrgv6SIJ-C52oXfg-mC_-TG-cgukbHCmwhirfVY2sk8xUl2LVRQkzQS0fg8Fh4ugwMussIzOLBhBpB_xoVoKFAWdyfYALxK5W4CL7PG87RBgoEADeJdDPKuFy4-kODvfPI6nJn08WM72TPAQh1HDVhLEQQLtEO-5j5B420f3QrQW1La25blui-pChtU9L_y86ilfrxwOIC8AJwBsYILf0hEAPQ1BakjWa6xQwJFyvzIyBWd_88qA)
Questions? Just reply to this email!
Best regards,
The Viberank Team
Next steps
- I will investigate about this vulnerabilities and will create new issues about it so they can be fixed asap