A malicious Polyfill reference has been identified in this package. The issue is located in the files: "package\demo\index.html" and "package\karma.conf.js".
To address this security concern, we recommend taking one of two actions: either remove the affected file completely or replace the suspicious reference with a trusted alternative. Reliable Polyfill sources include Cloudflare (https://cdnjs.cloudflare.com/polyfill) and Fastly (https://community.fastly.com/t/new-options-for-polyfill-io-users/2540).
Mend Note: For more detailed information about the Polyfill supply chain attack and its widespread impact, you can refer to our comprehensive blog post at https://www.mend.io/blog/more-than-100k-sites-impacted-by-polyfill-supply-chain-attack/.
A polyfill for the proposed inert API
Library home page: https://registry.npmjs.org/wicg-inert/-/wicg-inert-3.1.2.tgz
Path to dependency file: /src/Umbraco.Web.UI.Client/package.json
Path to vulnerable library: /src/Umbraco.Web.UI.Client/node_modules/wicg-inert/package.json
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
MSC-2024-9045
### Vulnerable Library - wicg-inert-3.1.2.tgzA polyfill for the proposed inert API
Library home page: https://registry.npmjs.org/wicg-inert/-/wicg-inert-3.1.2.tgz
Path to dependency file: /src/Umbraco.Web.UI.Client/package.json
Path to vulnerable library: /src/Umbraco.Web.UI.Client/node_modules/wicg-inert/package.json
Dependency Hierarchy: - :x: **wicg-inert-3.1.2.tgz** (Vulnerable Library)
Found in HEAD commit: 3779382600a590273050ede90af971d9ece62057
Found in base branch: v10/contrib
### Vulnerability DetailsA malicious Polyfill reference has been identified in this package. The issue is located in the files: "package\demo\index.html" and "package\karma.conf.js". To address this security concern, we recommend taking one of two actions: either remove the affected file completely or replace the suspicious reference with a trusted alternative. Reliable Polyfill sources include Cloudflare (https://cdnjs.cloudflare.com/polyfill) and Fastly (https://community.fastly.com/t/new-options-for-polyfill-io-users/2540). Mend Note: For more detailed information about the Polyfill supply chain attack and its widespread impact, you can refer to our comprehensive blog post at https://www.mend.io/blog/more-than-100k-sites-impacted-by-polyfill-supply-chain-attack/.
Publish Date: 2024-07-04
URL: MSC-2024-9045
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.