Finding Vulnerable Quill.js Usage in Production Applications

While testing a web application recently, I noticed that the platform was loading an outdated version of Quill.js from a static asset URL.

The application was using:

• Quill.js 1.3.6

After checking the version, I found that this release is affected by multiple publicly disclosed security issues.

What is Quill.js?

Quill.js is a popular rich text editor used in many modern web applications for chat systems, post editors, comments, messaging features, and internal dashboards.

Because rich text editors process user-controlled HTML content, outdated versions can introduce serious client-side security risks.

Vulnerabilities Identified

1. Reverse Tabnabbing

Affected Versions:

• Quill.js < 1.3.7

Severity:

• Medium

Reference:

• GHSA-588m-9qg5-35pq

Technical Details

The vulnerable implementation uses:

target="_blank"

without:

rel="noopener"

This allows the newly opened page to access:

window.opener

An attacker-controlled page can manipulate the original tab and potentially redirect users to phishing pages.

Example Attack Flow

1. Victim clicks a malicious link inside editor content
2. A new tab opens
3. The attacker-controlled page executes:

window.opener.location = "https://fake-login-page.com";

1. The original application tab gets replaced with a phishing page

This issue is commonly known as Reverse Tabnabbing.

2. Stored XSS via IMG onloadstart Attribute

Affected Versions:

• Quill.js 1.3.6

Reference:

• GHSA-4943-9vgg-gr5r
• CVE-2021-3163

Severity:

• Medium

Technical Details

The HTML editor can allow dangerous attributes on user-controlled HTML content.

A crafted payload using the onloadstart attribute on an IMG tag may trigger arbitrary JavaScript execution.

Example payload:

<img src=x onloadstart=alert(document.domain)>

If user input is improperly sanitized before rendering, this can lead to Stored Cross-Site Scripting (Stored XSS).

The interesting part is that this issue is disputed by some maintainers because the behavior may depend on browser handling rather than Quill itself. However, from a security testing perspective, allowing executable event handlers in rendered content still creates real attack surface.

Why This Matters

Outdated frontend libraries are often overlooked during security reviews.

Many organizations focus heavily on backend vulnerabilities while client-side dependencies remain outdated for years.

Rich text editors are especially sensitive because they directly process HTML content generated by users.

Even medium-severity issues can become dangerous when combined with:

• Session-based authentication
• Admin panels
• Internal messaging systems
• Content management features