{"id":15673523,"url":"https://github.com/okikio/broadcast-channel-security-vulnerablility","last_synced_at":"2026-01-18T22:11:54.143Z","repository":{"id":108151381,"uuid":"520733769","full_name":"okikio/broadcast-channel-security-vulnerablility","owner":"okikio","description":"Vulnerability in Broadcast Channel allowing for Arbitrary Code Execution when using Eval (In-direct and with \"use strict\") ","archived":false,"fork":false,"pushed_at":"2024-06-02T22:17:48.000Z","size":58,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-04T01:15:42.736Z","etag":null,"topics":["security"],"latest_commit_sha":null,"homepage":"https://stackblitz.com/github/okikio/broadcast-channel-security-vulnerablility?file=README.md","language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/okikio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-03T04:11:21.000Z","updated_at":"2024-06-02T22:17:52.000Z","dependencies_parsed_at":"2025-03-10T12:44:51.327Z","dependency_job_id":null,"html_url":"https://github.com/okikio/broadcast-channel-security-vulnerablility","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/okikio/broadcast-channel-security-vulnerablility","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/okikio%2Fbroadcast-channel-security-vulnerablility","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/okikio%2Fbroadcast-channel-security-vulnerablility/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/okikio%2Fbroadcast-channel-security-vulnerablility/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/okikio%2Fbroadcast-channel-security-vulnerablility/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/okikio","download_url":"https://codeload.github.com/okikio/broadcast-channel-security-vulnerablility/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/okikio%2Fbroadcast-channel-security-vulnerablility/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28552605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T20:59:07.572Z","status":"ssl_error","status_checked_at":"2026-01-18T20:59:02.799Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security"],"created_at":"2024-10-03T15:41:08.587Z","updated_at":"2026-01-18T22:11:54.126Z","avatar_url":"https://github.com/okikio.png","language":"CSS","funding_links":[],"categories":[],"sub_categories":[],"readme":"# broadcast-channel-security-vulnerablility\n\n[Edit on StackBlitz ⚡️](https://stackblitz.com/github/okikio/broadcast-channel-security-vulnerablility?file=README.md)\n\nThere is a vulnerability in the Broadcast Channel API which allows for possible arbitrary code execution when using eval in all modes e.g. direct, in-direct, function, etc... This is due to the fact that the browser still sees eval as the same browsing context no-matter where eval is placed and allows Broadcast Channel messages through.\n\nIf a nefarious user gets access to the eval environment and creates a new Broadcast Channel with the same channel name as the one used in the websites source code, they could potentially man-in-the-middle messages across browsing context, e.g. collecting broadcasted information and tracking users, or even worse broadcast data that's isn't wanted and interrupt the normal process of the website or web app.\n\nA possible use of this vulnerability would be a message to a Service Worker, which could cause all sorts of problems, e.g. messing up caching strategy (depending on how the websites/web apps code is structured and how the nefarious individual chooses to use this vulnerability, it could render a site in-operable).\n\nI discovered this issue while trying to use Broadcast Channel to communicate across web workers while also running eval in a separate web worker. At first I thought I was the one doing it wrong, but then I found out it's actually a part of the spec., browser vendors might need to deviate from the spec or introduce new ways of limiting the scope of Broadcast Channel when running in an eval.\n\n### Updates...\n\nAfter reporting this vulnerability to Chrome, Safari and Firefox, they've all closed the cases I opened with the repsonse being that's what is expected from the how the spec is written, and there isn't much they can do to actually mitigate the risk.\n\n\u003e On firefox you can limit the reach of Broadcast Channel to only the Worker that created it by using `data` urls to create the Worker, as in Firefox `data` urls are treated as a different origin. If `URL.createObjectURL(...)` is used, Firefox will still be vulnerable. Using `data` urls to create Workers also blocks Broadcast Channel from working within that Worker not just the eval. \n\nYou can check out a demo of this vulnerability on Codepen: https://codepen.io/okikio/pen/vYRvqRy\n\n\n\u003e **Note**: this affects all browser vendors as of August 2nd, 2022 EST\n\u003e * Edge \u0026 Chrome: 103.0.1264.77 \u0026 104.0.5112.79\n\u003e * Safari \u0026 Safari Technoloy Preview: 15.6 (17613.3.9.1.5) \u0026 150 (Safari 16.0, WebKit 17614.1.22.1.2)\n\u003e * Firefox: 103.0.1  \n\n^ This most-likely also affects older browsers, but I have not yet confirmed this\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fokikio%2Fbroadcast-channel-security-vulnerablility","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fokikio%2Fbroadcast-channel-security-vulnerablility","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fokikio%2Fbroadcast-channel-security-vulnerablility/lists"}