MSC-2024-8222 (Critical) detected in intersection-observer-0.12.2.tgz

[mend-bolt-for-github[bot]]

MSC-2024-8222 - Critical Severity Vulnerability

Vulnerable Library - intersection-observer-0.12.2.tgz

A polyfill for IntersectionObserver

Library home page: https://registry.npmjs.org/intersection-observer/-/intersection-observer-0.12.2.tgz

Path to dependency file: /docs/website/package.json

Path to vulnerable library: /docs/website/package.json

Dependency Hierarchy:

• :x: intersection-observer-0.12.2.tgz (Vulnerable Library)

Found in HEAD commit: f2de77058650d8a84834dc996fa34de605a47fd8

Found in base branch: master

Vulnerability Details

A malicious Polyfill reference has been identified in this package. The issue is located in the file "package\intersection-observer-test.html". To address this security concern, we recommend taking one of two actions: either remove the affected file completely or replace the suspicious reference with a trusted alternative. Reliable Polyfill sources include Cloudflare (https://cdnjs.cloudflare.com/polyfill) and Fastly (https://community.fastly.com/t/new-options-for-polyfill-io-users/2540). Mend Note: For more detailed information about the Polyfill supply chain attack and its widespread impact, you can refer to our comprehensive blog post at https://www.mend.io/blog/more-than-100k-sites-impacted-by-polyfill-supply-chain-attack/.

Publish Date: 2024-07-04

URL: MSC-2024-8222

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

---

Step up your Open Source Security Game with Mend here