We faced an XSS attack in an iframe which we ship to our customers. Owing to senstivity of iframes we decided to go for Window.open method. Below is a sample attached JS which sits in customer's space. Can anyone enlighten on how it is vulnerable to XSS
<p>
<script type="text/javascript">
function invokeVidteqPopup() {
window.open('http://www.vidteq.com/stage/which.php?urlid=cis','Video','status=1,width=800,height=600,scrollbars=0,resizable=1');
}
document.write("<span style='text-align:left;'><a style='font-family:Trebuchet MS,Arial;cursor:pointer;font-size:15px;color:black;border: 0px solid black' onclick=invokeVidteqPopup();>Click For Video Directions</a><span><br/><a href='javascript:void(0);' style='border: 0px solid black' onclick=invokeVidteqPopup(); ><img src='images/sub/vidteq_map.jpg' style='cursor:pointer;border: 0px solid black'/></a>");
</script>
<span style="text-align: left;">
<a onclick="invokeVidteqPopup();" style="border: 0px solid black; font-family: Trebuchet MS,Arial; cursor: pointer; font-size: 15px; color: black;">Click For Video Directions</a>
<span>
<br/>
<a onclick="invokeVidteqPopup();" style="border: 0px solid black;" href="javascript:void(0);">
<img style="border: 0px solid black; cursor: pointer;" src="images/sub/vidteq_map.jpg"/>
</a>
</span>
</span>
</p>
An additional similar function was found injected on the page
function ow(theURL)
{ //v2.0
window.open(theURL,'h','width=600,HEIGHT=500,screenY=10,left=10,top=10,screenX=10,statusbar=0,menubar=0,resizable=0');
}
Is it a consequence of XSS or some other malicious stuff