UI redress attack

Hi Complianz team,

My client forwarded me an email with a VULNERABILITY REPORT : CLICK JACKING from someone who presents himself as a security researcher and freelance ethical hacker. He said he has discovered the vulnerability in our website;

It concerns the layer over the website of the Cookie notification from Complianz,
should we take this seriously? please read the sender’s content:

” Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

<html>
<head><title>Clickjack test page</title></head>
<body>

<h1> Clickjacking in your website </h1>
<iframe width=”1000″ height=”500″ src=”https ://our website/
“/>

</body>

</html>

Impact:
The site can also be opened in an iframe after the user has logged it making it hard for the user to avoid phishing.A user can be tricked into downloading amalicious file that an attacker wants a user to download, allowing an attacker to gain access to the users device .

Remediation :
Add an iframe destroyer in the header of the page”

ik waardeer zeer jullie advies, dank en vriendelijke groet van Erna Braat

The page I need help with: [log in to see the link]