[security] bidders can execute external code on the page without winning

[jeremiegirault]

Type of issue

data leak / optimization / security

Description

I was playing with Renderer when creating a custom adapter with outstream video support. So I created a Renderer in order to display a player when retrieving some VAST response.
I noticed that the Renderer class loads the external script in it's constructor, not in the render function. Therefore external scripts are loaded, not only when the bid in won but when bid responses are received.
That can cause multiple requests during the auction and bidders that do not win can load any external scripts and access the whole page under the "outstream" module code. That can lead to strategies of sending empty bids to execute random code on the page.

Steps to reproduce

Here "github code" in a bid adapter interpret bids :

export const spec = {
  ...
  interpretResponse (res) {
     return {
       ...
       cpm: 0,
       renderer: Renderer.install({ url: '//foo/bar.js' })
     }
  }
}

Expected results

I expect the external script url (//foo/bar.js) to be loaded only when the bid is won.

Actual results

The external script is loaded immediately.

Workaround

As a publisher I would override using adunit-based renderer in order to prevent loading of external renderer scripts.

Platform details

[email protected] / MacOS 10.14.6 / edge beta 81.0.416.50

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jeremiegirault]

up

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jeremiegirault]

not stale

[wqi1972]

I guess the issue is, inside src/Renderer.js, code

  if (!isRendererDefinedOnAdUnit(adUnitCode)) {
    // we expect to load a renderer url once only so cache the request to load script
    loadExternalScript(url, moduleCode, this.callback);
  } else {
    utils.logWarn(`External Js not loaded by Renderer since renderer url and callback is already defined on adUnit ${adUnitCode}`);
  }

get called inside Renderer function, instead it suppose be called only after bid won event. (but I am not sure it suppose be after prebid auction won event or dfp auction won event)

[jeremiegirault]

A simple way would be to call it in the render function. I can submit a pr if you want

[mkendall07]

We definitely should not be loading the renderer code if the bid did not win. It should indeed be triggered by the render function. If that's not the case, a PR would be appreciated. We'd obviously need to test this well. Thanks for the report.

In regards to the context which the renderer is executed, it's expected to be in the global context. We have plans to change this in the future, but will take some time to flush out the technical details and implementation.

[jeremiegirault]

Hello for cross-reference I added sample code : #5235
I can't build anything because of an outdated dependency, I may try it later.

[jeremiegirault]

I switched node version and fixed tests