Affected versions of phantomjs-cheniu
insecurely download an executable over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running phantomjs-cheniu
.
No patch is currently available for this vulnerability.
As this package is just a fork of Medium’s phantomjs-prebuilt
package, the best mitigation is currently to install the Medium
version of phantomjs-prebuilt
. This can be done via the following command:
npm i phantomjs-prebuilt