Back in December 2017 I discovered several XSS in a kit for Iframe buster and provided by Google.
I was young and lazy, and at this time I only report it to full disclosure:
Shortly after that Google remove the kit and provided a help page for user concerned (https://support.google.com/admanager/answer/7622991) which seems fine with me and should fix the issue.
Since that I found two other that was also on the kit and not listed on Google help page. End of this side of the story, now let start why I’m here.
As I never put any more effort than this email they are no CVE or NVT for those XSS, and even the website listed my original email have still the file present.
I now want to make some effort in order to fix this, so my question are:
- Should I ask/create a CVE for those XSS ?
- Should I ask/create a NVT ?
In order to create an NVT:
- Should I create one per file, or only one for all those file ?
- Should I only check the presence of the file, or should I be able to prove the XSS on each file ?