A spoofing vulnerability exists in VS Code 1.65.0 and earlier versions where the <iframe> used for rendering webviews could be embedded in a parent frame with an unexpected origin, and the <iframe> would communicate with the parent frame despite its unexpected origin.
Patches
The fix is available starting with VS Code 1.65.1. The fix (c569182) mitigates this attack by restricting the <iframe> origin to a value that is computed taking the parent frame origin into account, thus isolating different parent frame origins.
Workarounds
There are no known workarounds.
References
A spoofing vulnerability exists in VS Code 1.65.0 and earlier versions where the
<iframe>used for rendering webviews could be embedded in a parent frame with an unexpected origin, and the<iframe>would communicate with the parent frame despite its unexpected origin.Patches
The fix is available starting with VS Code 1.65.1. The fix (c569182) mitigates this attack by restricting the
<iframe>origin to a value that is computed taking the parent frame origin into account, thus isolating different parent frame origins.Workarounds
There are no known workarounds.
References