js-beautify is vulnerable to prototype pollution. An attacker is able to pollute any future object creations by passing a crafted malicious payload to _mergeOpts
function in options.js
via the name
variable.
github.com/beautify-web/js-beautify/blob/6fa891e982cc3d615eed9a1a20a4fc50721bff16/js/src/core/options.js#L167
github.com/beautify-web/js-beautify/blob/6fa891e982cc3d615eed9a1a20a4fc50721bff16/js/src/core/options.js#L167.aa
github.com/beautify-web/js-beautify/blob/v1.14.6/js/src/core/options.js#L167
github.com/beautify-web/js-beautify/issues/2106