Open Bug 1488738 Opened 6 years ago Updated 10 months ago

Outdated and Minified JavaScript

Categories

(Firefox :: Normandy Client, task, P4)

Product:
Firefox
Component:
Normandy Client
Version:
61 Branch
Type:
task

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: u621419, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: sec-audit)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180808222917 Steps to reproduce: In directory toolkit/components/normandy/vendor of the Mozilla Firefox source code a https://reactjs.org/ was found in version 15.6.1. The current release is version 16.5 and version 15.6.2. has been released as well. These updates do not fix any obvious security issues for this version, but contain stability fixes. Due to the obfuscation caused by the minifying process, it is not instantly clear which version is shipped and whether it should be updated. X41 recommends to note the version in use along with the JavaScript source files and establish a process to keep track whether there are security update released for these third party libraries.
Blocks: 1476958
Group: firefox-core-security
Component: Untriaged → Normandy Client
Keywords: sec-audit
Depends on: 1520362
Severity: normal → S3
a11y-review: requested → ---
Performance Impact: ? → ---
status-firefox-esr115: ? → ---
tracking-firefox125: ? → ---
relnote-firefox: ? → ---
Flags: sec-bounty?
Flags: blocking-fx-sync1.7?

This is used by about-studies, which will not be removed when normandy is. However, I'm hesitant to commit to any work on this until after Normandy client is removed from Desktop.

Type: enhancement → task
Priority: -- → P4
You need to log in before you can comment on or make changes to this bug.