fix: [SDK-4150] prevent prototype pollution in JSONP calls

[fadi-george]

Description

1 Line Summary

Prevent prototype pollution exploitation in the jsonp dependency by passing explicit options.

Details

The jsonp library reads prefix, name, param, and timeout from an options object using || fallbacks. When no explicit options are passed, these properties resolve via the prototype chain — allowing an attacker with a prototype pollution primitive to control the JSONP callback name and achieve arbitrary code execution.

This fix passes explicit values for all jsonp options so own properties shadow any polluted Object.prototype values.

Systems Affected

• WebSDK
• Backend
• Dashboard

Validation

Tests

Info

• Verify Object.prototype.prefix = 'alert(1)//' no longer triggers an alert
• Verify Object.prototype.name = 'alert(1)' no longer triggers an alert
• Verify JSONP config fetch still works normally without prototype pollution present

Checklist

• All the automated tests pass or I explained why that is not possible
• I have personally tested this on my machine or explained why that is not possible
• I have included test coverage for these changes or explained why they are not needed

Programming Checklist
Interfaces:

• Don't use default export
• New interfaces are in model files

Functions:

• Don't use default export
• All function signatures have return types
• Helpers should not access any data but rather be given the data to operate on.

Typescript:

• No Typescript warnings
• Avoid silencing null/undefined warnings with the exclamation point

Other:

• Iteration: refrain from using elem of array syntax. Prefer forEach or use map
• Avoid using global OneSignal accessor for context if possible. Instead, we can pass it to function/constructor so that we don't call OneSignal.context

Screenshots

Info

N/A — no UI changes.

Checklist

• I have included screenshots/recordings of the intended results or explained why they are not needed

---

Related Tickets

• SDK-4150

---