MSC-2024-8222 (Critical) detected in intersection-observer-0.12.2.tgz #2491
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MSC-2024-8222 - Critical Severity Vulnerability
A polyfill for IntersectionObserver
Library home page: https://registry.npmjs.org/intersection-observer/-/intersection-observer-0.12.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: cde9e2fed34999ed7d1e6f8267246c83e03d61ce
Found in base branch: main
A malicious Polyfill reference has been identified in this package. The issue is located in the file "package\intersection-observer-test.html".
To address this security concern, we recommend taking one of two actions: either remove the affected file completely or replace the suspicious reference with a trusted alternative. Reliable Polyfill sources include Cloudflare (https://cdnjs.cloudflare.com/polyfill) and Fastly (https://community.fastly.com/t/new-options-for-polyfill-io-users/2540).
Mend Note: For more detailed information about the Polyfill supply chain attack and its widespread impact, you can refer to our comprehensive blog post at https://www.mend.io/blog/more-than-100k-sites-impacted-by-polyfill-supply-chain-attack/.
Publish Date: 2024-07-04
URL: MSC-2024-8222
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: