Background
EasyXDM is a JavaScript library enabling cross-domain communication via a consistent API. It was widely integrated into third-party products before browser-native APIs (window.postMessage) made it obsolete. During a routine client code security review, ThreeShield discovered that the library's dependence on query string parameters to determine communication state creates multiple exploitable vulnerabilities.
Responsible Disclosure
ThreeShield notified the library author and submitted a CVE request. The author archived the GitHub repository and posted a deprecation notice. ThreeShield also notified nFusion and other organizations that had integrated the vulnerable library into their products. nFusion acknowledged on 17 May 2023; by 30 October 2023, ThreeShield confirmed nFusion had replaced the library. All affected ThreeShield managed clients were protected before public disclosure.
Vulnerability Details
1. Arbitrary Redirection (Critical - CVSS High)
Attackers can manipulate query string parameters to cause instant redirection when the page loads - before any user interaction. This enables phishing attacks that redirect victims from a trusted domain to a malicious site, potentially capturing credentials or delivering malware. A proof-of-concept is archived at examples.threeshield.net for security research purposes.
2. Iframe Tampering
Applications using EasyXDM's postMessage transport render an iframe. Attackers can manipulate query parameters to change the iframe's accepted origin, creating unauthorized cross-origin access. This is especially dangerous for PCI SAQ A-compliant e-commerce sites that use iframes for credit card processing - iframe origin tampering can enable card skimming attacks against merchants who believed their iframe-based checkout was secure.
3. Cross-Site Scripting (XSS)
Under specific conditions - when an attacker controls the iframe origin in postMessage state - an attacker can execute scripts in the context of the target site. This requires multiple conditions to align but is exploitable in affected deployments where user-controlled input reaches the iframe messaging channel.
4. Origin Manipulation
Users can control which origins EasyXDM accepts postMessages from by manipulating query parameters. This design choice grants user-level control over security boundaries, creating unintended trust relationships in applications that rely on EasyXDM for access control decisions.
Mitigation
The correct fix is to remove EasyXDM entirely and use browser-native cross-origin messaging with strict origin validation. If immediate removal is not possible, implement parameter signing to prevent tampering. Contact ThreeShield for a code security review if your application still uses EasyXDM or you are unsure of your exposure.