let me explain you the SonarQube finding. SonarQube is a tool used for static code analysis. It looks for potential vulnerable patterns or any other patterns you create. If the code matches the pattern (regex), SonarQube creates an alert. All alerts must be reviewed manually because there is a huge likelihood of false positives.
Your finding - eval(originalScript); is a false positive because the argument of eval function does not contain user input. The script is built on our side without any user inputs.
Few other comments:
- Message receiver contains security check if message sender comes from trusted origin.
- Message event data contains only predefined constant - no user input.
- As it was mentioned the script used as a parameter of the eval() function does not contain user input.
- Since it is rendered on the client side, even if there was an untrusted input processed, it would be a client side injection, not a server side injection as Karolann wrote.
To sum it up - there is no vulnerability we are aware of. If you have more details, working PoC, please send us the email to security[at]kentico.com