tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript
Description
tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
tarteaucitron.js prior to 1.22.0 is vulnerable to DOM clobbering via document.currentScript, allowing attackers to redirect the CDN domain.
Vulnerability
Overview tarteaucitron.js is a cookie banner library. In versions prior to 1.22.0, the script accessed document.currentScript without verifying it referred to an actual ` element. Due to browser behavior where named DOM elements become properties on document, an attacker could inject an element with name="currentScript"` to clobber the property, causing the script to resolve incorrectly [1][3].
Attack
Vector An attacker who can inject HTML into the page (e.g., via XSS or compromised third-party content) can include a crafted element like `. When tarteaucitron.js runs, document.currentScript points to this element instead of the expected tag. The script then uses the element's src` to determine the CDN URL [3].
Impact
Successful exploitation allows the attacker to alter the CDN domain from which tarteaucitron.js loads its assets. This could lead to serving malicious scripts or resources from an attacker-controlled domain, potentially compromising the site's visitors [3].
Mitigation
The vulnerability is patched in version 1.22.0. The fix checks document.currentScript instanceof HTMLScriptElement and falls back to the last `` tag if the check fails [4]. Users should update to the latest version. No workarounds are documented [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarteaucitronjsnpm | < 1.22.0 | 1.22.0 |
Affected products
2- AmauriC/tarteaucitron.jsv5Range: < 1.22.0
Patches
1230a3b69d363Security: avoid a DOM clobbering on document.currentScript
2 files changed · +6 −3
tarteaucitron.js+5 −2 modified@@ -1,8 +1,11 @@ /*jslint browser: true, evil: true */ /* min ready */ -var scripts = document.getElementsByTagName('script'), - tarteaucitronPath = (document.currentScript || scripts[scripts.length - 1]).src.split('?')[0], +var tarteaucitronScriptsDiscover = document.getElementsByTagName('script'), + tarteaucitronCurrentScript = document.currentScript instanceof HTMLScriptElement + ? document.currentScript + : tarteaucitronScriptsDiscover[tarteaucitronScriptsDiscover.length - 1], + tarteaucitronPath = tarteaucitronCurrentScript.src.split('?')[0], tarteaucitronForceCDN = (tarteaucitronForceCDN === undefined) ? '' : tarteaucitronForceCDN, tarteaucitronUseMin = (tarteaucitronUseMin === undefined) ? '' : tarteaucitronUseMin, cdn = (tarteaucitronForceCDN === '') ? tarteaucitronPath.split('/').slice(0, -1).join('/') + '/' : tarteaucitronForceCDN,
tarteaucitron.min.js+1 −1 modified
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-q43x-79jr-cq98ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48939ghsaADVISORY
- github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3ghsax_refsource_MISCWEB
- github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q43x-79jr-cq98ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.