You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
bound=Function('binder','return function ('+boundArgs.join(',')+'){ return binder.apply(this, arguments); }')(binder);
We think it is upset because that bit of code is effectively an inline 'eval' which technically could be used as part of a cross-site scripting exploit.
I thought it might be worth adding this issue to help others.
I wonder if the polyfill is still needed actually? CanIUse suggests to me that this polyfill is for IE6 - IE8 and I think the GOVUK Design System team are now working to drop support for IE8?
The text was updated successfully, but these errors were encountered:
You're correct that this is a polyfill for IE8, which we still support in GOV.UK Frontend. We're still at least a couple of months out from dropping support for it completely, but it will eventually be removed as part of #2506.
The polyfill we use is derived from Polyfill.io. Their version of the code is here, though they have since removed support for IE8 and this polyfill with it, so it's unlikely that they will respond to a security report.
Although it being flagged as a security issue isn't great, this code will only be executed by IE8 and similarly old browsers outside of our support remit, which feels like it mitigates the risk of a serious or widespread security threat.
I've added this to our list of known validation warnings for now, but I don't think it's likely we'll fix this before we remove polyfills anyway.
Developers in my service team have informed me the 'bind' polyfill has been flagged in some automated security/threat testing as Common Weakness Enumeration 749 because of line 125.
We think it is upset because that bit of code is effectively an inline 'eval' which technically could be used as part of a cross-site scripting exploit.
I thought it might be worth adding this issue to help others.
I wonder if the polyfill is still needed actually? CanIUse suggests to me that this polyfill is for IE6 - IE8 and I think the GOVUK Design System team are now working to drop support for IE8?
The text was updated successfully, but these errors were encountered: