hollabaq86
commented
1 year ago 👋 @jmsjr thanks for reaching out. I can confirm that this is an internal URL used for QA testing and it will NEVER be made public.
Closed jmsjr closed 1 year ago
hollabaq86
commented
1 year ago 👋 @jmsjr thanks for reaching out. I can confirm that this is an internal URL used for QA testing and it will NEVER be made public.
General information
Issue description
We use HCL Appscan ( previously IBM Appscan ) as one of our security testing and scanning tool.
In some of our applications, we embed the Braintree Javascript SDK file instead of using of using CDN to download the SDK file, while some uses CDN to download the SDK file.
In one of the scans from Appscan, it reported a security issue titled "Link to Non-Existing Domain Found" in the embedded Braintree Javascript SDK file:
... basically saying that a bad actor could setup that domain and have traffic point to the bad factor's server to fetch the resource. It is basically complaining about this line :
https://github.com/braintree/braintree-web/blob/57550066d04d7bc60a3b81c3a315a7733fb06f3f/src/data-collector/kount.js#L6
... where assets.qa.braintreepayments.com is not a valid domain ... well not to the public / Internet anyway .. but I presume it is an internal-only domain in Braintree's network used for QA testing.
Is there a guarantee that this internal-only domain will NEVER be triggered or used by users of Braintree's Javascript SDK ?