javascript - Could this be considered a security vulnerability? -

i discovered javascript in site didn't sanitize external data (sitename), it's used in such way think not represent problem. certainly, best thing filter expected values interact code , there no worry unexpected input. but, how damage inflicted in current setup?

var branding = {     'website1.com' : {         color: 'red'     },     'website2.com' : {         color: 'blue'     } };  var sitename = document.referrer.split('/')[2];  var myelements = document.queryselectorall(".some-class-name");  (var = 0; < myelements.length; i++) {     myelements[i].style.color = branding[sitename]['color']; }   

this code poorly conceived, don't think it's exploitable.

• document.referrer.split('/')[2] extracts hostname of referrer. attacker might have control on hostname, limited degree; can't put field can't register or set domain name.

• branding[sitename] made interesting things if sitename name of internal property on object, __proto__, or method name, hasownproperty. however, none of these properties have been valid internet hostnames, none of them have periods in them. __proto__ contains underscores, aren't valid in hostnames!

• if sitename not constrained, following ['color'] still limits code. functions (like hasownproperty) wouldn't have color property; nor object prototype, looks dead end.

• even if assume weird value function somehow got result, assigning value .style.color wouldn't weird.

the potential vulnerability avoided, though:

var sitename = document.referrer.split('/')[2];  if (branding.hasownproperty(sitename)) {     ... else ... } 

object.hasownproperty false method names , "weird" properties __proto__; it's true properties have been explicitly declared on object. limit following code running intended site names.