CVE-2022-23395

## Vulnerability jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS). The vulnerability resides in the parsing of cookie data when the library processes user-supplied input. The affected version is 1.4.1 [1][2].

Exploitation

An attacker can exploit this vulnerability by injecting malicious JSON data into a cookie that the application processes using jQuery Cookie. The prototype pollution occurs when the library merges cookie data without proper sanitization. An attacker needs to be able to set a cookie on the target application, possibly via another vulnerability or user interaction [1].

Impact

Successful exploitation allows the attacker to pollute the Object.prototype, leading to DOM-based cross-site scripting (XSS). The attacker can inject arbitrary JavaScript code that executes in the context of the victim's browser, potentially leading to session theft, data exfiltration, or other malicious actions [1].

Mitigation

The vulnerability is present in jQuery Cookie 1.4.1. No patch has been released as the package appears to be unmaintained. The latest version is 1.4.1 and no non-vulnerable version is available [2]. Users should consider migrating to an alternative cookie handling library or implementing manual input validation and sanitization. Not yet disclosed in the available references.