Enter your email below to sign up for latest updates from Appcheck NG.


Simply complete the info below and we'll send you all you need to activate AppCheck NG and undertake your FREE scan.

Please enter individual IP addresses or ranges

Please enter full URLs for your web applications, and both http and https where appropriate

Adobe Fixes HTML5 PostMessage Security Flaw

AppCheck NG has identified a significant security flaw affecting a common JavaScript component provided as part of the Adobe Marketing Cloud. The flaw affected many high profile applications including several banking sites and well known .com organisations, and has now been fixed by the vendor.

When imported, the affected JavaScript components adds a vulnerable postMessage handler to the page which fails to correctly validate the source origin of inbound messages before insecurely processing the message payload. A malicious attacker could exploit this flaw to perform a Cross-Site Scripting attack against the affected application.

This flaw was reported to Adobe via HackerOne and has now been resolved.


AppCheck NG analyses postMessage handlers during the crawl phase of all Web Application scans. Using static analysis techniques, the JavaScript handler is examined to determine if the source origin of inbound messages is checked before further processing. Potentially vulnerable handlers are then flagged by AppCheck along with the handler’s JavaScript code and any messages that were observed during the scan. Existing messages are then passed to the scan engine to determine whether vulnerabilities such as Cross-Site Scripting are present.

Several AppCheck clients alerted us to the presence of a vulnerable handler imported from the following Adobe CDN URLs:

Upon examination of the affected handler was found to be vulnerable to Cross-Site Scripting.

Example AppCheck Output:

Our Proof-Of-Concept:

Technical Analysis

The following code snippet from target.js is responsible for binding the event listener for message events to the loadCDQLibs() function. postMessage events are then passed to this function for further processing:

if (typeof _AT.eventListenerAdded == "undefined") {
	addListener(window, "message", loadCDQLibs);
	_AT.eventListenerAdded = true

Within the loadCDQLibs() function the message payload string is converted to a JSON object before checking the resulting .action property against the text string “targetjsHandShakeAck”; if matched, the config attribute (an embedded object) is passed to the processHandShakeAcknowledgment() function:

var loadCDQLibs = function(evt) {
// truncated
// truncated
if (message.action === "targetjsHandShakeAck") {
// truncated

It’s in the processHandShakeAcknowledgment function that the Cross-Site Scripting vulnerability occurs. First, the config object is checked to determine that the updatePageURL is set – if successful, the current window location is changed to the URL stored within the pageURL attribute. By supplying a JavaScript URI within the pageURL attribute we were able to execute JavaScript in the context of the target application.

var processHandShakeAcknowledgment = function(config) {
        if (config.updatePageURL) {
            window.location.href = config.pageURL

Proof of Concept

The following message payload can be submitted to the vulnerable application in order to execute the JavaScript code alert(‘xss’):


The following JavaScript code can be used to demonstrate the flaw against a vulnerable application:

//Open the target application.
target = window.open("http://target/vulnerable")
function exploit(){
	payload = {"action":"targetjsHandShakeAck",
	//send payload to target application
// wait 3 seconds to allow the page to load

We have compiled a working proof-of-concept for this vulnerability, which can be downloaded here: http://appcheck-ng.com/wp-content/uploads/2015/07/Adobe-exploit-example.zip