Polyfill detected as JS Trojan

immersive-web / webxr-polyfill

Use the WebXR Device API today, providing fallbacks to native WebVR 1.1 and Cardboard

Apache License 2.0

382 stars 85 forks source link

Polyfill detected as JS Trojan #44

Closed jfcampos closed 5 years ago

jfcampos commented 5 years ago

We had reports of these 2 antivirus: AVG (Chrome Windows 10) Avast (Chrome Mac OSX)

Blocking the polyfill from running, flagging it for being infected with JS:Downloader-EAX Trojan.

Doing some debug, we found out that the warning comes up while running Dpdb.prototype.calcDeviceParams_

jfcampos commented 5 years ago

Just confirmed the issue is actually related to the name of the function Dpdb.prototype.matchRule_. Just by changing it we don't get the alert. I'm submitting this to the cardboard-vr-display repo

jfcampos commented 5 years ago

Did a PR https://github.com/immersive-web/cardboard-vr-display/pull/32

Can/will do another PR here if it gets merged

jsantell commented 5 years ago

what a weird one, thanks for figuring this out @jfcampos!

TrevorFSmith commented 5 years ago

That's a great catch, @jfcampos!

It's sort of alarming that such an innocuous name is flagged but perhaps a bit of malware happened to use the same naming patterns.

jsantell commented 5 years ago

Fixed in 1.0.12