## Background
For applications which used the Google API tamings (not enabled by default), the taming of the `google.load` function did not sanitize its arguments sufficiently.
## Impact and Advice
The vulnerability allows invoking arbitrary functions on the host page that can be accessed through properties on the global object, with no arguments. The exact impact of this depends on the contents of the host page; for more information read about “reverse clickjacking” at
https://plus.google.com/u/0/+AleksandrDobkin-Google/posts/JMwA7Y3RYzV.
All users which load `google.load.loaderFactory.js` in their Caja deployments should upgrade to Caja
If there is a problem upgrading, it is also feasible to apply the below patch directly, but we do not recommend using old versions of Caja any longer than necessary.
## More Information
The patch for the vulnerability may be found at: