This description taken from the pull request provided by Patrick Kettner.
Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy.
Alternatively, a solution previously implemented by Google, Facebook, and Github is to prepend callbacks with an empty inline comment. This will cause the flash parser to break on invalid inputs and prevent the issue, and how the issue has been resolved internally in hapi.
helpx.adobe.com/security/products/flash-player/apsb14-17.html
miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash
rhn.redhat.com/errata/RHSA-2014-0860.html
secunia.com/advisories/59774
secunia.com/advisories/59837
security.gentoo.org/glsa/glsa-201407-02.xml
www.securityfocus.com/bid/68457
www.securitytracker.com/id/1030533
github.com/hapijs/hapi/commit/d47f57abf23bdaa84f61aed2bac94ae5f358afb7
github.com/patrickkettner
github.com/spumko/hapi
github.com/spumko/hapi/pull/1766
nvd.nist.gov/vuln/detail/CVE-2014-4671
www.npmjs.com/advisories/12