High severityNVD Advisory· Published Sep 1, 2020· Updated Sep 23, 2021

DOM-based XSS in gmail-js

CVE-2016-1000228

Description

Affected versions of gmail-js are vulnerable to cross-site scripting in the tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post functions, which pass user input directly into the Function constructor.

Recommendation

Update to version 0.6.5 or later.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
gmail-jsnpm	< 0.6.5	0.6.5

Patches

a83436f499f9

Replace new Function() with JSON.parse()

https://github.com/KartikTalwar/gmail.jsJostein KjønigsenNov 29, 2016via ghsa

commit

1 file changed · +8 −15

src/gmail.js+8 −15 modified

@@ -891,10 +891,8 @@ var Gmail_ = function(localJQuery) {
                 endIndex = (parseInt(dataLength, 10) - 2) + response.indexOf("[");
                 data = response.substring(response.indexOf("["), endIndex);
 
-                var get_data = new Function("\"use strict\"; return " + data);
-                realData = get_data();
-
-                parsedResponse.push(realData);
+                var json = JSON.parse(data);
+                parsedResponse.push(json);
 
                 // prepare response for next loop
                 response = response.substring(response.indexOf("["), response.length);
@@ -1684,11 +1682,9 @@ var Gmail_ = function(localJQuery) {
             return emails;
         }
 
-        get_data = get_data.substring(get_data.indexOf("["), get_data.length);
-        get_data = "\"use strict\"; return " + get_data;
-        get_data = new Function(get_data);
-
-        api.tracker.view_data = get_data();
+        var data = get_data.substring(get_data.indexOf("["), get_data.length);
+        var json = JSON.parse(data);
+        api.tracker.view_data = json;
 
         for(var i in api.tracker.view_data) {
             if (typeof(api.tracker.view_data[i]) === "function") {
@@ -1934,13 +1930,10 @@ var Gmail_ = function(localJQuery) {
         if (!get_data) {
             return {};
         }
-        get_data = get_data.substring(get_data.indexOf("["), get_data.length);
-        get_data = "\"use strict\"; return " + get_data;
-        get_data = new Function(get_data);
-
-        var cdata = get_data();
+        var data = get_data.substring(get_data.indexOf("["), get_data.length);
+        var json = JSON.parse(data);
 
-        api.tracker.email_data = cdata[0];
+        api.tracker.email_data = json[0];
         return api.tools.parse_email_data(api.tracker.email_data);
     };

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c7pp-g2v2-2766ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-1000228ghsaADVISORY
github.com/KartikTalwar/gmail.js/commit/a83436f499f9c01b04280af945a5a81137b6baf1ghsaWEB
github.com/KartikTalwar/gmail.js/issues/281ghsaWEB
www.npmjs.com/advisories/125ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000