CVE-2025-25300
Description
smartbanner.js is a customizable smart app banner for iOS and Android. Prior to version 1.14.1, clicking on smartbanner View link and navigating to 3rd party page leaves window.opener exposed. It may allow hostile third parties to abuse window.opener, e.g. by redirection or injection on the original page with smartbanner. rel="noopener" is automatically populated to links as of v1.14.1 which is a recommended upgrade to resolve the vulnerability. Some workarounds are available for those who cannot upgrade. Ensure View link is only taking users to App Store or Google Play Store where security is guarded by respective app store security teams. If View link is going to a third party page, limit smartbanner.js to be used on iOS that decreases the scope of the vulnerability since as of Safari 12.1, rel="noopener" is imposed on all target="_blank" links. Version 1.14.1 of smartbanner.js contains a fix for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
smartbanner.jsnpm | < 1.14.1 | 1.14.1 |
Patches
290c6a341d541fce8c31dfe04Fix #118 Store link is missing rel="noopener"
2 files changed · +4 −4
src/smartbanner.js+1 −1 modified@@ -126,7 +126,7 @@ export default class SmartBanner { <div class="smartbanner__info__price">${this.options.price}${this.priceSuffix}</div> </div> </div> - <a href="${this.buttonUrl}" target="_blank" class="smartbanner__button"><span class="smartbanner__button__label">${this.options.button}</span></a> + <a href="${this.buttonUrl}" target="_blank" class="smartbanner__button" rel="noopener"><span class="smartbanner__button__label">${this.options.button}</span></a> </div>`; }
test/spec/smartbanner_spec.js+3 −3 modified@@ -126,7 +126,7 @@ describe('SmartBanner', function() { <div class="smartbanner__info__price">FREE - On the App Store</div> </div> </div> - <a href="https://itunes.apple.com/us/genre/ios/id36?mt=8" target="_blank" class="smartbanner__button"><span class="smartbanner__button__label">View</span></a> + <a href="https://itunes.apple.com/us/genre/ios/id36?mt=8" target="_blank" class="smartbanner__button" rel="noopener"><span class="smartbanner__button__label">View</span></a> </div>`; const ANDROID_BODY = `<div class="smartbanner smartbanner--android js_smartbanner"> @@ -139,7 +139,7 @@ describe('SmartBanner', function() { <div class="smartbanner__info__price">FREE - In Google Play</div> </div> </div> - <a href="https://play.google.com/store" target="_blank" class="smartbanner__button"><span class="smartbanner__button__label">View</span></a> + <a href="https://play.google.com/store" target="_blank" class="smartbanner__button" rel="noopener"><span class="smartbanner__button__label">View</span></a> </div>`; const ANDROID_CUSTOM_DESIGN_BODY = `<div class="smartbanner smartbanner--custom-design js_smartbanner"> @@ -152,7 +152,7 @@ describe('SmartBanner', function() { <div class="smartbanner__info__price">FREE - In Google Play</div> </div> </div> - <a href="https://play.google.com/store" target="_blank" class="smartbanner__button"><span class="smartbanner__button__label">View</span></a> + <a href="https://play.google.com/store" target="_blank" class="smartbanner__button" rel="noopener"><span class="smartbanner__button__label">View</span></a> </div>`; const USER_AGENT_IPHONE_IOS8 = 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A405 Safari/600.1.4';
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.