A security risk has been discovered on the SAM functionality, whereby malicious actors were using the SAM redirection link to point users to fraudulent sites, hidden behind a valid-looking url. This security risk only applies to customers using the "redirectTo" URL in the email campaign link.
To address this risk, the SAM functionality will now only allow redirections to trusted sites that are whitelisted in the backend point of sales configuration. This list can be found on the "Gravity" tab, as shown below:
The list consists of a single domain per line. To allow a SAM redirection to an external site, the domain of the site must appear in this list. Access is also authorized for subdomains of those listed here.
If left empty, redirections will only be allowed to the domain of this point of sale (including subdomains).
For example, to authorize redirections to https://mydomain.com, the list must include mydomain.com. Subdomains, such as subdomain.mydomain.com will also be authorized.