BigbangWP issues with invalid property id in javascript code...

[polonus]

What code error?

Code: [Select]

found JavaScript
     error: line:4: SyntaxError: invalid property id:
          error: line:4:
          error: line:4: .^ Error properly because of not using the right Syntax.

Where it was found?in: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmidmas.com%2Fwp-content%2Fthemes%2Fbigbangwp%2Fjavascript%2Fcustom.js%3Fver%3D4.3.5
See how this could work through on:  http://www.google-analytics.com/urchin.js  (when we see no SRI hashes generated).
And we have that with a B-Status here and just for this code: https://sritest.io/#report/bbfcf2a1-ca9b-456c-890c-f48c6c2f2050

XSS threat if an attacker can change the content of window.location.href, he might change it to ")alert("Inject successful!")//"
If they could change it, this is dangerous, because someone could pass <script>alert('Haaaaax!');</script>
Info credit "Niet the Dark Absol".

This script was found on a website that was being repeatedly hacked and defaced: https://urlquery.net/report.php?id=1469570397322
Also has vulnerable prettyPhoto aboard very old 3.1.2 version used, which is XSS-DOM vuln.

What about this? http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmidmas.com%2Fwarning-htmlspecialchars-charset-utf-7-not-supported-assuming-utf-8-in-homemidmaspublic_htmlwp-includesformatting-php-on-line-3436about-us%2F

And there might be more insecurity as the above was found at a first glance over the code...but one could easily now imagine the interrelated insecurity here.

polonus (volunteer website security analyst and website error-hunter)