GMS-2023-5978: Stale copy of the public suffix list
We have identified that this project contains an out-of-date version of the Public Suffix List (https://publicsuffix.org/). We are carrying out research to identify the potential impacts of using old versions of the Public Suffix List, and we intend to publish our results in academic conferences and journals. Our results will become publicly available after 21 days; this provides time to update your project with an up-to-date version of the Public Suffix List.
GitHub repository: gsemac/Gsemac.Common Public Suffix List path: src/Gsemac.Net/Resources/public_suffix_list.dat
The Public Suffix List is regularly updated (generally a few times per week), and to ensure that the correct privacy boundaries are maintained between websites, applications that use it should routinely fetch an updated copy. If new suffixes are added to the list, and an old list is then used, privacy boundaries will not be constructed correctly, allowing for data (e.g., cookies) to be set incorrectly, potentially harming privacy.
There is further guidance on how the Public Suffix List should be used in ICANN’s “Advisory on the Use of Static TLD / Suffix Lists” at https://www.icann.org/en/system/files/files/sac-070-en.pdf.
If you have any questions about our research, or about usage of the Public Suffix List, please reply via e-mail to sm@smcquistin.uk.
References
Detect and mitigate GMS-2023-5978 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →