PrismJS DOM Clobbering vulnerability

[rebekaburnett]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

There is a Dependabot alert on this docusaurus-provided package: Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

Reproducible demo

No response

Steps to reproduce

This is provided by a dependabot alert in the github repository.

Expected behavior

Please update the packages when you can

Actual behavior

.

Your environment

• Public source code:
• Public site URL:
• Docusaurus version used:
• Environment name and version (e.g. Chrome 89, Node.js 16.4):
• Operating system and version (e.g. Ubuntu 20.04.2 LTS):

Self-service

• I'd be willing to fix this bug myself.

[slorber]

Afaik the security issue reported: https://nvd.nist.gov/vuln/detail/CVE-2024-53382

It's been reported only 1 day ago and affects the very latest version of Prism (which hasn't received any publish since 2022).

We can't do anything in this repository and will close it as an external issue.

Prism needs to release a v1.30 with a fix: you should report the problem to Prism directly, once they fix it, Docusaurus users will immediately "benefit" from it.

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

We use Prism for Markdown code blocks which are usually trusted inputs hardcoded in Markdown files committed to Git and reviewed by teammates. Unless proven otherwise, this vulnerability is harmless in our context, like many other vulnerabilities that Dependabot is likely to report.

Related read: https://overreacted.io/npm-audit-broken-by-design/

[slorber]

They published a fix, you can upgrade your dependency and use the new version, like we did here: #10978

[rebekaburnett]

Thanks!!!