Malicious Service Worker
A service worker registered without scope restrictions can intercept all network requests for a domain, including those from other pages.
How It Works
Service workers act as a network proxy between your app and the server. If a user can register a service worker at the root scope ('/'), that worker intercepts every fetch on that origin — including login forms and API calls. XSS vulnerabilities or open registration endpoints can let attackers plant persistent service workers.
// BAD: no scope restriction, registers at root by default
navigator.serviceWorker.register('/sw.js');// GOOD: restrict scope to only the paths your PWA needs
navigator.serviceWorker.register('/app/sw.js', {
scope: '/app/' // only intercepts /app/* requests
});Real-World Example
Researchers demonstrated persistent XSS via service workers on sites that allowed user-supplied JavaScript or open SW registration endpoints. Once registered, the malicious SW survives page refreshes and can exfiltrate credentials indefinitely.
How to Prevent It
- Always set an explicit scope when registering service workers
- Serve service worker files with 'Service-Worker-Allowed' headers restricted to your app path
- Add a Content-Security-Policy header that restricts script sources
- Audit which URLs can register service workers and require authentication for those endpoints
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Prototype Pollution
highMerging user-controlled objects without filtering lets attackers modify Object.prototype and affect every object in the application.
ReDoS (Regex Denial of Service)
mediumRegular expressions with nested quantifiers can take exponential time to evaluate certain inputs, freezing your Node.js event loop.
Insecure Randomness
highUsing Math.random() for security-sensitive values like tokens or IDs is predictable and can be brute-forced.