Important Notice - Forums is archived
To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
PEN test claim against vaadinBootstrap.js
Using vaadin 7.7.4 ran burb suite profesional against my solution
Burp complains agaisnt a construction in vaadinBootstrap.js
It is most certainly a false positive but I need some hint in explaining why it is so to the pen tester.
I am not a js developer I am a java developper thats why I like using vaadin
The full text of the finding is:
The application may be vulnerable to DOM-based open redirection. Data is read from window.location.href and passed to the 'open()' function of an XMLHttpRequest object via the following statements:
url = window.location.href.replace(/#.*/,'');
r.open('POST', url, true);
DOM-based open redirection arises when a script writes controllable data into the target of a redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a URL that, if visited by another application user, will cause a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Any hints to what I should explain the PEN testers?
It is indeed false positive. This is discussed in a closed bug ticket.
In short: "The code reads the URL from the window (so the active window's URL), replaces everything after the first hashtag. I do not see a way to trigger an open redirect, because then you'd need to be able to control the beginning of the URL, which you can't."