Prototype Pollution in fullpage.js

Description

fullPage utils are available to developers using window.fp_utils. They can use these utils for their own use-case (other than fullPage) as well. However, one of the utils deepExtend is vulnerable to Prototype Pollution vulnerability.

Recommendation

Update the fullpage.js package to the latest compatible version. Followings are version details:

• Affected version(s): < 4.0.2
• Patched version(s): 4.0.2

References

• GHSA-vpgw-ffh3-648h
• huntr.dev
• CVE-2022-1295
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Prototype Pollution in protobufjs - CVE-2022-25878
• Prototype Pollution in JSON5 via Parse Method - CVE-2022-46175
• Grunt-karma vulnerable to prototype pollution - CVE-2022-37602
• thlorenz browserify-shim vulnerable to prototype pollution - browserify-shim - GHSA-cfgr-75jx-h88g - CVE-2022-37623

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

fullpage.js