Summary
Ceros has released a security update to resolve one cross-site scripting (XSS) vulnerability affecting proprietary code referred to as the Ceros “Scroll Proxy,” which affected both exported content and content that utilizes a self-hosted version of the Scroll Proxy (scroll-proxy.js).
XSS attacks allow an attacker to run malicious javascript on another user’s browser. The malicious script could capture cookies or session tokens, or rewrite the content of the page. A vulnerability refers to the possibility of exposure to an XSS attack. Read more about XSS here.
Analysis
Ceros confirmed a Proof-of-concept (PoC) code that demonstrates a theoretical exploit of this vulnerability (PoC available upon request).
Ceros is not aware of any successful exploitation happening in the wild or of any breach of internal or customer data.
Exploitation of this vulnerability would require that a malicious iFrame hosted on the same page as a Ceros iFrame is specifically targeting Ceros content to perform an XSS attack on the parent page. While this is an unlikely scenario, it would have been theoretically possible prior to this patch release.
Solution
At 4 PM EDT on August 2, 2019, Ceros released a patched build to its production environment to remediate the vulnerability and took additional steps to revise how embedded experiences speak to the scroll proxy. This response was immediate and the Ceros team was able to remediate this vulnerability within 24 hours of discovery.
If you are using a standard Ceros embed code, you don’t need to do anything.
However, if you are self-hosting the Scroll Proxy, you will need to re-export to upgrade to the patched version to remediate this vulnerability.
Safeguards
Ceros is performing a full root cause analysis and a formal review of security testing procedures to avoid this type of vulnerability in the future.
If you discover a vulnerability in any Ceros product, please let us know at security@ceros.com.
Should you have any questions or need help remediating this vulnerability, please email support@ceros.com.