CVE-2019-19919 affects vendored JS library in bootstrap-wysihtml5-rails

[ddalcino]

The bootstrap-wysihtml5-rails gem at v 0.3.3.8 and earlier includes a vendored Javascript library (handlebars v 3.0.2). That library is affected by https://github.com/advisories/GHSA-w457-6q6x-cgp9 and fixed by handlebars v 4.3.0 or 3.0.8. There is no patched version of the bootstrap-wysihtml5-rails gem that updates this version of handlebars.

I've noticed that most of the issues in this database relate to issues in the Ruby code bundled into Ruby gems, but not necessarily issues with vendored Javascript libraries. Is this by design? If so, please close this issue. Otherwise, I can file more issues like this; I've found vulnerable vendored JS in a couple gems.

[postmodern]

ruby-advisory-db also contains advisories for gems which contain vulnerable JavaScript libraries, see https://github.com/rubysec/ruby-advisory-db/tree/master/gems/jquery-rails

Please submit a PR with a new advisory for this, but without a patched_version attribute since there isn't a patched version (of the gem) yet.

[ddalcino]

Otherwise, I can file more issues like this; I've found vulnerable vendored JS in a couple gems.

I've opened #720 to cover a vulnerability in twitter-bootstrap-rails as well. Please let me know if you need me to open an issue for that one as well.