Vulnerability / Security issue on playcanvas stable min js file

[nehatdedinca]

Description

I am using PlayCanvas through downloading .zip folder and then integrating it in my application by pointing to correct animation/illustrations assets.

After regression (PEN) testing in my application, there is the result report which indicates that the file playcanvas-stable.min.js contains Unicode bidirectional (BiDi) control characters which could lead to some security issues (vulnerabilities/breaches). In more details I have attached the screenshot from the report with more elaboration towards the issue.

Moreover, I have tried reproducing the issue, through BiDi character checkers such as using NPM packages bidi-js, it found the vulnerabilities (fishy characters) but not able to solve as per the minified file. I was not able to get the non-minified file.

This is a list of BiDi characters. Most, if not all, of the character breaches found were under the category of Other Neutral.

Please try to reproduce the issue by running regression or pen tests on an application which uses playcanvas (playcanvas-stable.min.js) and the vulnerability should be there.

Any suggestion on how to correct overcome this issue would be highly appreciated. Thank you in advance! ND

[willeastcott]

It appears that Terser is somehow introducing BiDi characters into playcanvas.min.js. They are not present in playcanvas.js. I have high confidence that the BiDi characters are harmless, but if you are concerned, feel free to swap out playcanvas.min.js with playcanvas.js.