Description
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
Remediation
References
https://github.com/firebase/firebase-js-sdk/commit/9cf727fcc3d049551b16ae0698ac33dc2fe45ada
https://github.com/firebase/firebase-js-sdk/pull/4001
https://snyk.io/vuln/SNYK-JS-FIREBASEUTIL-1038324
Related Vulnerabilities
CVE-2022-41714 Vulnerability in npm package fastest-json-copy
CVE-2018-25050 Vulnerability in npm package chosen-js
CVE-2022-31108 Vulnerability in maven package org.webjars.bower:mermaid
CVE-2023-34093 Vulnerability in npm package @strapi/strapi
CVE-2020-26237 Vulnerability in maven package org.webjars.bowergithub.highlightjs:highlight.js