Mitigate Security Risk Protect Global _paq Exposure

[bstoyanovhubject]

The _paq variable is currently exposed globally on the window object.
This means any script running in the browser, including malicious ones or browser extensions, can modify or replace _paq. This could lead to altered or lost tracking data, or unauthorized access to tracking events.

Example code overriding _paq:
window._paq = { push: (data) => { // Malicious code } };

Suggested solutions:

• Consider making _paq read-only.
• Use a clone or proxy of _paq internally to prevent external modifications.

[EmmanuelRoux]

This seems not related to this library.

It depends on the JS implementation of Matomo client (repository here)

[bstoyanovhubject]

I would say both yes and no.
Yes, it is related to the implementation of Matomo, but it also used in this library, since ngx-matomo-client relies on it.

This could be easily broken:

push(args: NonEmptyArray<unknown>): void {
    if (this.config.runOutsideAngularZone) {
      this.ngZone.runOutsideAngular(() => {
        window._paq.push(trimTrailingUndefinedElements(args));
      });
    } else {
      window._paq.push(trimTrailingUndefinedElements(args));
    }
  }

Like this:
window._paq = { nosensefunc: ( ) => { };

and the result in the browser is :
window._paq.push is not a function at ngx-matomo-client-core.mjs:251:29 at _ZoneDelegate.invoke (zone.js:369:28) at ZoneImpl.run (zone.js:111:43) at NgZone.runOutsideAngular (core.mjs:7142:28) at InternalMatomoTracker.push (ngx-matomo-client-core.mjs:250:25) at MatomoTracker.setDocumentTitle (ngx-matomo-client-core.mjs:558:23) at Object.next (ngx-matomo-client-router.mjs:340:53) at source.subscribe.isUnsub (tap.js:17:81) at OperatorSubscriber._next (OperatorSubscriber.js:13:21) at OperatorSubscriber.next (Subscriber.js:31:18)