📄 Description (English)
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
🤖 AI Executive Summary
CleverTap Web SDK versions 1.15.2 and earlier contain a DOM-based XSS vulnerability in the Visual Builder module due to improper origin validation using the includes() method. An attacker can bypass origin checks via crafted subdomains in window.postMessage communications, potentially allowing malicious script injection. This affects organizations using CleverTap for customer engagement and analytics across the Middle East region.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 23:50
🇸🇦 Saudi Arabia Impact Assessment
Saudi banking and financial services organizations using CleverTap for customer engagement platforms are at significant risk, particularly those under SAMA oversight. E-commerce and retail sectors leveraging CleverTap analytics face exposure to customer data theft and session hijacking. Government digital transformation initiatives and healthcare providers using customer engagement tools are vulnerable to credential harvesting and sensitive data exfiltration. Telecommunications companies (STC, Mobily, Zain) utilizing CleverTap for customer analytics could experience service disruption and customer trust erosion.
🏢 Affected Saudi Sectors
Banking and Financial Services
E-commerce and Retail
Government and Public Sector
Healthcare and Pharmaceuticals
Telecommunications
Insurance
Hospitality and Travel
Media and Publishing
🎯 MITRE ATT&CK Techniques
T1059.007 — Command and Scripting Interpreter: JavaScript/Jscript
T1189 — Drive-by Compromise via malicious postMessage injection
T1566.002 — Phishing: Spearphishing Link with XSS payload
T1598.003 — Phishing for Information: Spearphishing Link to capture credentials via XSS
T1539 — Steal Web Session Cookie via DOM-based XSS
T1056.004 — Keylogging via injected JavaScript
T1041 — Exfiltration Over C2 Channel using injected scripts
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
1. IMMEDIATE ACTIONS:
- Audit all CleverTap Web SDK implementations across your organization
- Identify systems running versions 1.15.2 or earlier
- Implement Content Security Policy (CSP) headers with strict frame-ancestors and script-src directives
- Enable X-Frame-Options: DENY header on all pages using CleverTap
2. PATCHING GUIDANCE:
- Upgrade CleverTap Web SDK to version 1.15.3 or later immediately
- Test upgrades in staging environment before production deployment
- Verify origin validation now uses strict equality checks instead of includes()
- Validate postMessage origin against exact domain: https://dashboard.clevertap.com
3. COMPENSATING CONTROLS (if immediate patching not possible):
- Implement custom origin validation wrapper around window.postMessage listeners
- Use URL.parse() to validate origin protocol, hostname, and port explicitly
- Disable Visual Builder module if not actively used
- Restrict CleverTap dashboard access to whitelisted IP ranges
4. DETECTION RULES:
- Monitor for postMessage events with origin containing 'clevertap' but not exact match
- Alert on DOM manipulation attempts from unexpected origins
- Log all Visual Builder module interactions with source origin
- Implement WAF rules to block requests with suspicious subdomain patterns (*.*.clevertap.com variations)
🔧 خطوات المعالجة (العربية)
1. الإجراءات الفورية:
- تدقيق جميع تطبيقات CleverTap Web SDK عبر المنظمة
- تحديد الأنظمة التي تعمل بالإصدارات 1.15.2 أو أقدم
- تطبيق رؤوس سياسة أمان المحتوى (CSP) مع توجيهات صارمة frame-ancestors و script-src
- تفعيل رأس X-Frame-Options: DENY على جميع الصفحات التي تستخدم CleverTap
2. إرشادات التصحيح:
- ترقية CleverTap Web SDK إلى الإصدار 1.15.3 أو أحدث فوراً
- اختبار الترقيات في بيئة التطوير قبل نشرها في الإنتاج
- التحقق من أن التحقق من الأصل يستخدم الآن فحوصات المساواة الدقيقة بدلاً من includes()
- التحقق من أصل postMessage مقابل المجال الدقيق: https://dashboard.clevertap.com
3. الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
- تطبيق غلاف التحقق من الأصل المخصص حول مستمعي window.postMessage
- استخدام URL.parse() للتحقق من بروتوكول الأصل واسم المضيف والمنفذ بشكل صريح
- تعطيل وحدة Visual Builder إذا لم تكن قيد الاستخدام النشط
- تقييد الوصول إلى لوحة معلومات CleverTap بنطاقات IP مدرجة في القائمة البيضاء
4. قواعد الكشف:
- مراقبة أحداث postMessage مع أصل يحتوي على 'clevertap' لكن ليس مطابقة دقيقة
- تنبيهات محاولات معالجة DOM من أصول غير متوقعة
- تسجيل جميع تفاعلات وحدة Visual Builder مع أصل المصدر
- تطبيق قواعس WAF لحجب الطلبات ذات أنماط النطاق الفرعي المريبة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 - 5.1.1: Access Control - Origin validation failure violates principle of least privilege
ECC 2024 - 5.2.2: Cryptography and Data Protection - XSS enables unauthorized data access
ECC 2024 - 5.3.1: Application Security - Input validation and output encoding deficiency
ECC 2024 - 5.4.1: Web Application Security - DOM-based XSS vulnerability
🔵 SAMA CSF
SAMA CSF - Governance & Risk Management: Vulnerability management and patch deployment
SAMA CSF - Information Security: Application security controls and secure coding practices
SAMA CSF - Operational Resilience: Detection and response to web-based attacks
SAMA CSF - Third-party Risk: CleverTap SDK security assessment and vendor management
🟡 ISO 27001:2022
ISO 27001:2022 - A.5.23: Secure development policy and secure coding practices
ISO 27001:2022 - A.8.24: Protection against malware and malicious code
ISO 27001:2022 - A.8.25: Monitoring and testing of information systems
ISO 27001:2022 - A.8.28: Secure coding practices for application development
🟣 PCI DSS v4.0.1
PCI DSS 4.0 - Requirement 6.2.4: Security patches and updates for web applications
PCI DSS 4.0 - Requirement 6.5.1: Injection flaws prevention
PCI DSS 4.0 - Requirement 6.5.10: Broken access control and authentication mechanisms