MSC-2024-8222 (Critical) detected in intersection-observer-0.12.2.tgz

[mend-bolt-for-github[bot]]

MSC-2024-8222 - Critical Severity Vulnerability

Vulnerable Library - intersection-observer-0.12.2.tgz

A polyfill for IntersectionObserver

Library home page: https://registry.npmjs.org/intersection-observer/-/intersection-observer-0.12.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - muon-0.0.2-beta.54.tgz (Root Library) - dev-server-storybook-2.0.1.tgz - rollup-plugin-polyfills-loader-2.1.1.tgz - polyfills-loader-2.2.0.tgz - :x: **intersection-observer-0.12.2.tgz** (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A malicious Polyfill reference has been identified in this package. The issue is located in the file "package\intersection-observer-test.html". To address this security concern, we recommend taking one of two actions: either remove the affected file completely or replace the suspicious reference with a trusted alternative. Reliable Polyfill sources include Cloudflare (https://cdnjs.cloudflare.com/polyfill) and Fastly (https://community.fastly.com/t/new-options-for-polyfill-io-users/2540). Mend Note: For more detailed information about the Polyfill supply chain attack and its widespread impact, you can refer to our comprehensive blog post at https://www.mend.io/blog/more-than-100k-sites-impacted-by-polyfill-supply-chain-attack/.

Publish Date: 2024-07-04

URL: MSC-2024-8222

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with Mend here