bendrucker
commented
1 year ago Not going to continue accepting these automated or at least non-interactive reports for pollution that doesn't even effect global prototypes.
Closed secdevlpr26 closed 1 year ago
bendrucker
commented
1 year ago Not going to continue accepting these automated or at least non-interactive reports for pollution that doesn't even effect global prototypes.
secdevlpr26
commented
1 year ago Hello, Sorry for all the inconvenience caused. All the reports are based on the research work of my colleague (you can find her paper's link below) and I am reporting them here as per her analysis and records.
https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - This is the published paper with the Github link to her static analysis tool. Thanks
bendrucker
commented
1 year ago Ok, interesting, but the nature of security is that balancing signal and noise is critical. Performing automated analysis and then reporting non-exploitable paths as high sev vulnerabilities in public databases is a massive amount of noise. I'd argue this type of effort is a net-harm to security by wasting maintainers time and potentially obscuring exploitable vulnerabilities in a sea of inconsequential reports. You should have tested and iterated on your methodology for outreach before mass-spamming these reports as well as been honest up front about the detection methodology used.
I'll be getting in touch with the research team and their supervisors to submit this complaint.
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the fullPath variable in resolve-shims.js.
The prototype pollution vulnerability can be mitigated with several best practices described here: [https://learn.snyk.io/lessons/prototype-pollution/javascript/]