What are Public Widgets used for?
The majority of widgets are set as private to serve internal client needs and offer a wide range of services, however, in some cases, customers may have a need to make specific widgets public. In ServiceNow, public widgets allow users who are not logged in to access information or functionality, such as:
Displaying a list of knowledge base articles.
Showing a real-time view of system status.
Providing a way for users to submit feedback.
These widgets are designed to be accessible to a wider audience, including non-authenticated users.
Why is this an issue?
Misconfigured public widgets may expose sensitive information; these widgets should not be made public unless they are required to fulfill application requirements.
For example, on October 14, 2023, a cybersecurity expert disclosed a critical vulnerability in ServiceNow that could allow attackers to access sensitive client data. The vulnerability is caused by ACLs that are configured with no role, condition, or script, in conjunction with public portal widgets such as the SimpleListWidget.
For more information, please see the official ServiceNow response.
How do I fix it?
To prevent public widgets from being accessible to non-authenticated users, make sure that the Public field is set to unmarked. To do this:
In the Filter Navigator, type and enter sp_widget.list.
On list view, click on the widget that needs to be changed.
Unmark the Public field and Save.