Security researchers from Minded Security have identified a document object model (DOM)-based cross-site scripting (XSS) vulnerability on Google.com.
According to the researchers, DOMinatorPro revealed a piece of code in googleadservices.com /pagead/landing.js which used invalidated input to build the argument for two “document.write ” calls.
“[This] means that one more time a (almost) 3rd party script introduces a flaw in the context of an unaware domain,” Minded Security’s Stefano Di Paola explained.
Di Paola suggested one workaround, but Google decided to address this issue by removing the problematic script altogether.
Unlike the traditional XSS vulnerabilities that occur in the server-side code, DOM-based XSS affects the script code in the client’s browser.