Prototype Pollution in Dojox

2020-03-10T18:03:32
ID GHSA-3HW5-Q855-G6CW
Type github
Reporter GitHub Advisory Database
Modified 2020-03-12T20:29:31

Description

The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype Pollution.

Affected Area: //https://github.com/dojo/dojox/blob/master/jq.js#L442 var tobj = {}; for(var x in props){ // the "tobj" condition avoid copying properties in "props" // inherited from Object.prototype. For example, if obj has a custom // toString() method, don't overwrite it with the toString() method // that props inherited from Object.prototype if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){ if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){ if(dojo.isArray(props[x])){ obj[x] = props[x]; }else{ obj[x] = jqMix(obj[x], props[x]); } }else{ obj[x] = props[x]; }