Hi,
I found a cross-origin code execution issue in the Builder React SDK. Two pieces chain together.
Missing origin validation on postMessage
In builder-block.component.tsx around line 255, the onWindowMessage handler processes builder.patchUpdates messages without checking the sender's origin. The adjacent components do validate:
builder-component.component.tsx:532 — calls Builder.isTrustedHostForEvent(event) before processingbuilder-content.component.tsx:126 — calls Builder.isTrustedHostForEvent(event) before processingbuilder-block.component.tsx:255 — does NOT validate
An attacker who can send a postMessage to the window (via iframe or window.open) can patch the bindings property on any block. Bindings go through stringToFunction -> new Function() -> arbitrary JavaScript execution in the host page context.
Editing mode via query parameter
In builder.class.ts:1166, editing mode is toggled by checking for builder.frameEditing= in the query string. Any page can be iframed with that parameter to force editing mode, activating the unvalidated message listener.
Chain: attacker iframes victim page with ?builder.frameEditing=true, sends crafted postMessage with malicious binding, gets code execution.
Fix: Add the same Builder.isTrustedHostForEvent(event) check to builder-block.component.tsx:onWindowMessage that the other components already have.
Reported by ProScan AppSec (https://proscan.one)
Hi,
I found a cross-origin code execution issue in the Builder React SDK. Two pieces chain together.
Missing origin validation on postMessage
In
builder-block.component.tsxaround line 255, theonWindowMessagehandler processesbuilder.patchUpdatesmessages without checking the sender's origin. The adjacent components do validate:builder-component.component.tsx:532— callsBuilder.isTrustedHostForEvent(event)before processingbuilder-content.component.tsx:126— callsBuilder.isTrustedHostForEvent(event)before processingbuilder-block.component.tsx:255— does NOT validateAn attacker who can send a postMessage to the window (via iframe or window.open) can patch the
bindingsproperty on any block. Bindings go throughstringToFunction->new Function()-> arbitrary JavaScript execution in the host page context.Editing mode via query parameter
In
builder.class.ts:1166, editing mode is toggled by checking forbuilder.frameEditing=in the query string. Any page can be iframed with that parameter to force editing mode, activating the unvalidated message listener.Chain: attacker iframes victim page with
?builder.frameEditing=true, sends crafted postMessage with malicious binding, gets code execution.Fix: Add the same
Builder.isTrustedHostForEvent(event)check tobuilder-block.component.tsx:onWindowMessagethat the other components already have.Reported by ProScan AppSec (https://proscan.one)