CVE-2017-16006

Vulnerability

Remarkable, a markdown parser for JavaScript, prior to and including version 1.6.2, does not properly sanitize data: URIs in markdown links. This allows an attacker to inject arbitrary JavaScript code via a crafted link using data:text/html,). When the markdown is rendered by remarkable and a user clicks the link in a browser, the browser will execute the JavaScript in the context of the page's domain [3]. No authentication or special privileges are required; the attacker only needs to inject the payload into markdown content that will be rendered by remarkable [1][2].

Impact

Successful exploitation leads to cross-site scripting (XSS) in the context of the page displaying the rendered markdown. This allows an attacker to execute arbitrary JavaScript, potentially stealing cookies, session tokens, or performing actions on behalf of the victim user [2][3].

Mitigation

Upgrade to remarkable version 1.7.0 or later, which addresses this issue by filtering out data: URIs [2]. If upgrading is not possible, users can implement a custom validateLink function to whitelist safe protocols [3]. The affected versions are ≤1.6.2 [1][2]. This vulnerability is not known to be listed in CISA's KEV.