Merge branch 'aegilops/polyfill-io-compromised-script' of https://github.com/aegilops/codeql into aegilops/polyfill-io-compromised-script

aegilops · aegilops · commit 61df4d2f046e · 2024-07-12T12:49:18.000+01:00
diff --git a/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.qhelp b/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.qhelp
@@ -48,12 +48,12 @@
 		</p>
 
 		<p>
-			To help mitigate future risk of including a script that could be compromised, consider whether you need to
-			use a polyfill or other library at all. Modern browsers do not require a polyfill, and other popular libraries are redundant after enhancements to HTML 5.
+			To help mitigate the risk of including a script that could be compromised in the future, consider whether you need to
+			use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.
 		</p>
 
 		<p>
-			If you do need a polyfill service or library, move to using a trusted CDN.
+			If you do need a polyfill service or library, move to using a CDN that you trust.
 		</p>
 		
 		<p>
@@ -63,7 +63,7 @@
 		    
 			A dynamic service cannot be easily used with SRI. Nevertheless,
 			it is possible to list multiple acceptable SHA hashes in the <code>integrity</code> attribute,
-			such as those for the content generated for major browers used by your users.
+			such as hashes for the content required for the major browsers used by your users.
 		</p>
 
 		<p>
@@ -85,7 +85,7 @@
 		<sample src="polyfill-trusted.html" />
 
 		<p>
-			If you can investigate the most used browsers by your users, you can list the hashes of the polyfills for those browsers:
+			If you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:
 		</p>
 
 		<sample src="polyfill-sri.html" />
diff --git a/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql b/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.ql
@@ -1,6 +1,6 @@
 /**
  * @name Untrusted domain used in script or other content
- * @description Use of a script or other content from an untrusted or compromised domain
+ * @description Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code.
  * @kind problem
  * @security-severity 7.2
  * @problem.severity error
