The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.Referenceshttps://auth0.com/docs/security/bulletins/cve-2018-7307
