Pym.js Library Vulnerability in widgetframe Package
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.
What’s Up?
The NPR Visuals Team created and maintains a javascript library that makes it super easy to embed iframes on web pages and have said documents still be responsive.
The widgetframe
R htmlwidget uses pym.js
to bring this (much needed) functionality into widgets and (eventually) shiny apps.
NPR reported a critical vulnerability in this library on February 15th, 2018 with no details (said details will be coming next week).
Per NPR’s guidance, any production code using pym.js needs to be pulled or updated to use this new library.
I created an issue & pushed up a PR that incorporates the new version. NOTE that the YAML config file in the existing CRAN package and GitHub dev version incorrectly has 1.3.2 as the version (it’s really the 1.3.1 dev version).
suggest that the library was not performing URL sanitization (and now is).
Watch Out For Standalone Docs
Any R markdown docs compiled in “standalone” mode will need to be recompiled and re-published as the vulnerable pym.js
library comes along for the ride in those documents.
Regardless of “standalone mode”, if you used widgetframe
in any context, including:
- Flex Dashboard
- RMarkdown + knitr
- RMarkdown Website
- Xaringan Presentations (and other html-based R pres)
- Bookdown gitbook
- blogdown
anything created is vulnerable regardless of standalone compilation or not.
FIN
Once the final details are released I’ll update this post and may do a new post. Until then:
- check if you’ve used
widgetframe
(directly or indirectly) - REMOVE ALL VULNERABLE DOCS from RPubs, GitHub pages, your web site (etc) today
- regenerate all standalone documents ASAP
- regenerate your blogs, books, dashboards, etc ASAP with the patched code; DO THIS FOR INTERNAL as well as internet-facing content.
- monitor this space
R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.