Prevent renderAd from overwriting the website DOM document #607

kasparsd · 2016-09-07T05:42:27Z

Fixes #602

kasparsd · 2016-09-07T05:47:03Z

src/prebid.js

@@ -441,7 +441,9 @@ $$PREBID_GLOBAL$$.renderAd = function (doc, id) {
        var url = adObject.adUrl;
        var ad = adObject.ad;

-        if (ad) {
+        if (doc===document) {


We need mark the winning bid before bailing out if the ad render call tries to replace the top document. Previously I had placed it right before the if (adObject) check but that's too early.

mkendall07 · 2016-09-07T14:04:07Z

LGTM. Thanks!

* Ensure that we’re not writing to the current document * Check for current document access after marking the ad as winning bid

kasparsd added 2 commits September 6, 2016 23:04

Ensure that we’re not writing to the current document

113e456

Check for current document access after marking the ad as winning bid

71b559a

kasparsd reviewed Sep 7, 2016
View reviewed changes

mkendall07 merged commit ea0aba8 into prebid:master Sep 7, 2016

kasparsd deleted the feature/secure-adrender-document branch November 9, 2016 10:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Prevent renderAd from overwriting the website DOM document #607

Prevent renderAd from overwriting the website DOM document #607

kasparsd commented Sep 7, 2016

kasparsd Sep 7, 2016

mkendall07 commented Sep 7, 2016

Prevent renderAd from overwriting the website DOM document #607

Prevent renderAd from overwriting the website DOM document #607

Conversation

kasparsd commented Sep 7, 2016

kasparsd Sep 7, 2016

Choose a reason for hiding this comment

mkendall07 commented Sep 7, 2016