MSC-2024-9005 (Critical) detected in wicg-inert-3.1.1.tgz

[mend-bolt-for-github[bot]]

MSC-2024-9005 - Critical Severity Vulnerability

Vulnerable Library - wicg-inert-3.1.1.tgz

A polyfill for the proposed inert API

Library home page: https://registry.npmjs.org/wicg-inert/-/wicg-inert-3.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/wicg-inert/package.json

Dependency Hierarchy: - :x: **wicg-inert-3.1.1.tgz** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A malicious Polyfill reference has been identified in this package. The issue is located in the files: "package\demo\index.html" and "package\karma.conf.js". To address this security concern, we recommend taking one of two actions: either remove the affected file completely or replace the suspicious reference with a trusted alternative. Reliable Polyfill sources include Cloudflare (https://cdnjs.cloudflare.com/polyfill) and Fastly (https://community.fastly.com/t/new-options-for-polyfill-io-users/2540). Mend Note: For more detailed information about the Polyfill supply chain attack and its widespread impact, you can refer to our comprehensive blog post at https://www.mend.io/blog/more-than-100k-sites-impacted-by-polyfill-supply-chain-attack/.

Publish Date: 2024-07-04

URL: MSC-2024-9005

CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with Mend here