Currently I am working on a project that uses RxJS within Angular framework. A recent penetration testing report highlighted that the use of window.postMessage(‘’, ‘*’) in the application could lead to security vulnerabilities. Investigating this further, we found that Immediate.js file within RxJS (http://reactivex.io/rxjs/file/es6/util/Immediate.js.html) could be the source of this issue. The penetration test report states “If the postMessage() is used to transmit sensitive information between windows, then an unauthorised window would be able to retrieve this information as well”. There were suggestions to use an explicit target window instead of the wildcard('*') character in the window.postMessage() function to overcome this issue. Since this code is embedded in the RxJS library, we don't feel comfortable in changing it as it may introduce some undesirable effects.
Given the above scenario, I would like to know:
N.B. The penetration test was conducted by a third party and we don’t know the tools they may have used.
Updating Angular from 5.5.2 to version 6 seems to have fixed the issue. During the update, rxjs was updated to version 6 as recommended by the Angular update site. We followed the steps as provided by this site and now we are running rxjs 6, which does not include window.postMessage("", "*") function that was highlighted in our pentest.
@fridoo thanks again for pointing us in the right direction!