Script Src Integrity Check

High Nessus Plugin ID 119811

Synopsis

Report external script resources not using integrity.

Description

The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src.

If the host is controlled by a 3rd party, ensure that the 3rd party is PCI DSS compliant.

Solution

Set script integrity checking on target script or remove target script.

See Also

http://www.nessus.org/u?c9e76c4f

https://www.w3.org/TR/SRI/

http://www.nessus.org/u?f39144f8

Plugin Details

Severity: High

ID: 119811

File Name: script_src_integrity.nasl

Version: 1.3

Type: remote

Family: Web Servers

Published: 2018/12/20

Updated: 2019/03/27

Dependencies: 10662

Risk Information

Risk Factor: High

CVSS Score Source: manual

CVSS Score Rationale: Score based on analysis of vulnerability.

CVSS v2.0

Base Score: 7.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:N

CVSS v3.0

Base Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N