Patch Fix cross-realm object access. ImportParserPlugin.js mishandles

[lamrecognitions]

The project of hashgraph/hedera-sourcify has used webpack does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

CVE-2023-28154 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description:

Related issue(s):

Fixes #

Notes for reviewer:

Checklist

• [x] Documented (Code comments, README, etc.)
• [x] Tested (unit, integration, etc.)

[acuarica]

Hi @lamrecognitions, thanks for sending this. There is a similar PR https://github.com/hashgraph/hedera-sourcify/security/dependabot/62 that seems to address this. Moreover, the report described here does not appear to affect our codebase.