OSVDB-126747: Backdooring via erroneous minifcation of boolean expression

August 24, 2015

There’s a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated to allow potentially malicious code to be hidden within secure code, activated by minification. Affected versions erroneously minify boolean expressions.

References

github.com/lautis/uglifier/pull/86
github.com/mishoo/UglifyJS2/issues/751
zyan.scripts.mit.edu/blog/backdooring-js/

Detect and mitigate OSVDB-126747 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →