EXIF Viewer Classic vulnerable to cross-site scripting

Overview

EXIF Viewer Classic provided by Rodrigue (former Kakera) contains a cross-site scripting vulnerability.

Description

EXIF Viewer Classic provided by Rodrigue (former Kakera) is a Google Chrome browser extension.
The affected versions of the product improperly handle EXIF meta data, resulting in a cross-site scripting vulnerability (CWE-79).

Versions 2.3.2 and 2.4.0 were reported as vulnerable. The vendor informs us that the product has been refactored after those old versions and that the current version 3.0.1 is not vulnerable.

Impact

When an image is rendered and crafted EXIF meta data is processed, an arbitrary script may be executed on the web browser.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

JPCERT/CC Addendum

The vendor was in “the list of unreachable developers” for some years.
The communication was established recently and we reached to the agreement to publish this JVN.

Credit

Yuji Tounai of Mitsui Bussan Secure Directions, Inc. and Kouhei Morita reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.