This module has a 'missing sub resource integrity' vulnerability.
You can see this vulnerability by:
1. Enabling the module
2. The module loads third-party library https://cdn.siteimprove.net/cms/overlay.js
3. When navigating to a page you see the above mentioned library do not contain 'integrity' and 'crossorigin=anonymous' attribute.
Any module library can be modified by hook_library_info_alter() and these attributes can be added. But my gut feeling is we need to add these attributes to site improve.libraries.yml
SRI Hash value can be obtained here - https://report-uri.com/home/sri_hash
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | sri_hash-3133771-2.patch | 709 bytes | wil2091 |
| #2 | Screenshot 2020-05-05 at 11.01.16 PM.png | 77.47 KB | wil2091 |
| #2 | Screenshot 2020-05-05 at 11.00.29 PM.png | 96.33 KB | wil2091 |
Comments
Comment #2
wil2091 commentedAdded the integrity attribute to the external js https://cdn.siteimprove.net/cms/overlay.js
Please verify the patch.
Here are the screenshots of the view source page & network
Comment #3
wil2091 commentedComment #4
beltofteHi @wil2091 ,
Thanks for your patch. I will discuss it with Siteimprove and decided if we should add it or not.
Best regards,
Jens
Comment #5
beltofteComment #7
beltofteComment #9
beltofteWe will revert this change and remove the SRI hash from the library file. Siteimprove is currently not supporting versioning of their overlay.js file, and this means that every time Siteimprove release an updated version of overlay.js, will browsers immediately block the overlay.js file and we will have to release a new version of the module with an updated hash. We are discussing with Siteimprove to support versioning of their overlay.js file and if/when they support it will we add a SRI hash again.
Comment #11
beltofteFixed in 8.x-1.7.
Comment #12
bartvig commented