GHSA-q43x-79jr-cq98: tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript

A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element such as:

<img name="currentScript" src="https://malicious.example.com">

it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an <img> element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly.

This issue arises because in some browser environments, named DOM elements (e.g., name="currentScript") become properties on the global document object.

Impact

An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron.

Fix https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3

The issue was resolved by verifying that document.currentScript is an instance of HTMLScriptElement. If not, the script now falls back safely to the last <script> tag on the page.