search

Stuk / jszip

Create, read and edit .zip files with Javascript
https://stuk.github.io/jszip/
Other
9.77k stars 1.3k forks source link

Fortify scan finds HTML5: Overly Permissive Message Posting Policy in jszip.js line 11477 and 11504 #901

Open dianesun opened 1 year ago

dianesun commented 1 year ago

Fortify Priority: Low Folder Low Kingdom: Encapsulation Abstract: On line 11477 of jszip.js the program posts a cross-document message with an overly permissive target origin.. Sink: jszip.js:11477 FunctionPointerCall: postMessage() 11475 postMessageIsAsynchronous = false; 11476 }; 11477 global.postMessage("", "*"); 11478 global.onmessage = oldOnMessage; 11479 return postMessageIsAsynchronous;

Abstract: On line 11504 of jszip.js the program posts a cross-document message with an overly permissive target origin.. Sink: jszip.js:11504 FunctionPointerCall: postMessage() 11502 11503 registerImmediate = function (handle) { 11504 global.postMessage(messagePrefix + handle, "*"); 11505 }; 11506 }

Fotiman commented 1 year ago

This raises the question: why would this package be messaging with the parent window?