Issues » Cross Domain Scripts Included Within Application

Issue: SI-6
Date: Jun 4, 2013, 7:45:00 AM
Severity: Low
Requires Admin Access: No
Fix Version: n/a
Credit: Internal Security Team
Description:

The web application was found to include JavaScript hosted on third party servers within the application:

https://ajax.googleapis.com/ajax/libs/chrome-frame/1/CFInstall.min.js

Any third party scripts could therefore potentially be used by a third party in order to gain full access to a users account and their data within the application.

Scripts should not be included from untrusted domains. Where scripts produced by a third party are required they should be first reviewed and then copied to and maintained on the server hosting the application.

Mitigation:

dotCMS requires this script in order to provide backward compatibility for older IE browsers.  In this case, we treat ajax.googleapis.com as a "trusted" domain.