WS-2017-0268 | Mend Vulnerability Database

Vulnerability DatabaseWS-2017-0268

WS-2017-0268

Published:May 14, 2026

Updated:May 14, 2026

Both Firefox and Safari are vulnerable to XSS if we use an inert document created via `document.implementation.createHTMLDocument()`.

Affected Packages

angular (BOWER):

Affected version(s) =v1.0.8 <v1.2.0-rc.1

Fix Suggestion:

Update to version v1.2.0-rc.1

angular (BOWER):

Affected version(s) =v1.5.9 <v1.5.10-build.5161+sha.d7cc863

Fix Suggestion:

Update to version v1.5.10-build.5161+sha.d7cc863

angular (BOWER):

Affected version(s) =v1.6.1 <v1.6.2-build.5218+sha.ee1458f

Fix Suggestion:

Update to version v1.6.2-build.5218+sha.ee1458f

angular (BOWER):

Affected version(s) =v1.5.8 <v1.5.9-build.191+sha.ad3a1f9

Fix Suggestion:

Update to version v1.5.9-build.191+sha.ad3a1f9

angular (BOWER):

Affected version(s) =v1.3.20 <v1.3.21-build.153+sha.a9ecde1

Fix Suggestion:

Update to version v1.3.21-build.153+sha.a9ecde1

angular (BOWER):

Affected version(s) =v1.2.26 <v1.2.27-build.491+sha.07d6242

Fix Suggestion:

Update to version v1.2.27-build.491+sha.07d6242

angular (BOWER):

Affected version(s) =v1.2.29 <v1.2.30-build.604+sha.34e5623

Fix Suggestion:

Update to version v1.2.30-build.604+sha.34e5623

angular (BOWER):

Affected version(s) =v1.5.3 <v1.5.4-build.4699+sha.bd7d5f6

Fix Suggestion:

Update to version v1.5.4-build.4699+sha.bd7d5f6

angular (BOWER):

Affected version(s) =v1.6.2 <v1.6.3-build.5293+sha.b7ee5ee

Fix Suggestion:

Update to version v1.6.3-build.5293+sha.b7ee5ee

angular (BOWER):

Affected version(s) =v1.2.16 <v1.2.17-build.100+sha.feb54d6

Fix Suggestion:

Update to version v1.2.17-build.100+sha.feb54d6

angular (BOWER):

Affected version(s) =v1.3.2 <v1.3.3-build.3534+sha.b6fd184

Fix Suggestion:

Update to version v1.3.3-build.3534+sha.b6fd184

angular (BOWER):

Affected version(s) =v1.4.8 <v1.4.9-build.1+sha.7882c1c

Fix Suggestion:

Update to version v1.4.9-build.1+sha.7882c1c

angular (BOWER):

Affected version(s) =v1.5.6 <v1.5.7-build.4837+sha.f58d4fb

Fix Suggestion:

Update to version v1.5.7-build.4837+sha.f58d4fb

angular (BOWER):

Affected version(s) =v1.4.3 <v1.4.4-build.4102+sha.528ceda

Fix Suggestion:

Update to version v1.4.4-build.4102+sha.528ceda

angular (BOWER):

Affected version(s) =v1.4.14 <v1.5.0-beta.0

Fix Suggestion:

Update to version v1.5.0-beta.0

angular (BOWER):

Affected version(s) =v1.3.15 <v1.3.16-build.100+sha.d5c99ea

Fix Suggestion:

Update to version v1.3.16-build.100+sha.d5c99ea

angular (BOWER):

Affected version(s) >=v1.5.10 <v1.6.1-build.5188+sha.1b7ddd3

Fix Suggestion:

Update to version v1.6.1-build.5188+sha.1b7ddd3

angular (BOWER):

Affected version(s) =v1.3.9 <v1.3.10-build.17+sha.bf55d76

Fix Suggestion:

Update to version v1.3.10-build.17+sha.bf55d76

angular (BOWER):

Affected version(s) =v1.4.5 <v1.4.6-build.4194+sha.170cd96

Fix Suggestion:

Update to version v1.4.6-build.4194+sha.170cd96

angular (BOWER):

Affected version(s) =v1.4.6 <v1.4.7-build.4242+sha.4dd10fd

Fix Suggestion:

Update to version v1.4.7-build.4242+sha.4dd10fd

angular (BOWER):

Affected version(s) =v1.0.6 <v1.0.7

Fix Suggestion:

Update to version v1.0.7

angular (BOWER):

Affected version(s) =v1.6.3 <v1.6.4-build.5311+sha.1daa4f2

Fix Suggestion:

Update to version v1.6.4-build.5311+sha.1daa4f2

angular (BOWER):

Affected version(s) =v1.3.17 <v1.3.18-build.129+sha.8bd59a5

Fix Suggestion:

Update to version v1.3.18-build.129+sha.8bd59a5

angular (BOWER):

Affected version(s) =v1.5.5 <v1.5.6-build.4757+sha.c3de164

Fix Suggestion:

Update to version v1.5.6-build.4757+sha.c3de164

angular (BOWER):

Affected version(s) =v1.4.10 <v1.4.11

Fix Suggestion:

Update to version v1.4.11

angular (BOWER):

Affected version(s) =v1.5.0 <v1.5.1-build.4591+sha.75f23f0

Fix Suggestion:

Update to version v1.5.1-build.4591+sha.75f23f0

angular (BOWER):

Affected version(s) =v1.6.4 <v1.6.5-build.5352+sha.06516d7

Fix Suggestion:

Update to version v1.6.5-build.5352+sha.06516d7

angular (BOWER):

Affected version(s) =v1.5.7 <v1.5.8-build.4886+sha.ff5f645

Fix Suggestion:

Update to version v1.5.8-build.4886+sha.ff5f645

angular (BOWER):

Affected version(s) >=v1.2.31 <v1.3.0-beta.1

Fix Suggestion:

Update to version v1.3.0-beta.1

angular (NPM):

Affected version(s) >=0.0.1-1 <1.6.5

Fix Suggestion:

Update to version 1.6.5

angularjs.sanitize (NUGET):

Affected version(s) >=1.5.9 <1.6.5

Fix Suggestion:

Update to version 1.6.5

angularjs (NUGET):

Affected version(s) >=1.5.9 <1.6.5

Fix Suggestion:

Update to version 1.6.5

colorgap/bowyer (PHP):

Affected version(s) =dev-master <v0.2.0

Fix Suggestion:

Update to version v0.2.0

dmstr/yii2-filemanager-widgets (PHP):

Affected version(s) =dev-feature/custom-item-urls <dev-feature/filemanager-thumbnails-update

Fix Suggestion:

Update to version dev-feature/filemanager-thumbnails-update

neoslive/hybridsearch (PHP):

Affected version(s) =dev-master <1.0.1

Fix Suggestion:

Update to version 1.0.1

dmstr/yii2-filemanager-widgets (PHP):

Affected version(s) >=dev-dev/input-widget <dev-feature/bugfix

Fix Suggestion:

Update to version dev-feature/bugfix

kewljuice/civicrm-libraries (PHP):

Affected version(s) =dev-master

Fix Suggestion:

Update to version no_fix

prestiggio/medias (PHP):

Affected version(s) =dev-prefixed

Fix Suggestion:

Update to version no_fix

happycoding/civicrm-core-for-drupal (PHP):

Affected version(s) >=dev-dev <=5.14.1-RC1

Fix Suggestion:

Update to version no_fix

dmstr/yii2-filemanager-widgets (PHP):

Affected version(s) >=dev-feature/scoped-less <dev-master

Fix Suggestion:

Update to version dev-master

opis-assets/angular (PHP):

Affected version(s) =dev-master <1.5.9

Fix Suggestion:

Update to version 1.5.9

calibrate/civicrm-libraries (PHP):

Affected version(s) =dev-master <v1.0

Fix Suggestion:

Update to version v1.0

larakit/sf-angular-sanitize (PHP):

Affected version(s) =dev-master

Fix Suggestion:

Update to version no_fix

happycoding/civicrm-library-for-drupal (PHP):

Affected version(s) >=dev-dev <=5.14.1-RC1

Fix Suggestion:

Update to version no_fix

neoslive/hybridsearch (PHP):

Affected version(s) >=1.0.10 <=1.1.44

Fix Suggestion:

Update to version no_fix

colorgap/brush (PHP):

Affected version(s) =dev-master <v0.2.0

Fix Suggestion:

Update to version v0.2.0

coresys/corelibrary (PHP):

Affected version(s) >=dev-master <=1.0.1

Fix Suggestion:

Update to version no_fix

Related Resources (2)

https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94

https://github.com/RetireJS/retire.js/commit/a47c5f939e8ed4f5148acb147923f31863cb73c8

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

LOW

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

4.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE