The file mediaelement-and-player.min.js contains allowScriptAccess value "always" which is a security issue.
The AllowScriptAccess setting determines a SWF's ability to communicate with the browser using commands like fscommand() and ExternalInterface().
By default a SWF file and an HTML page loading the SWF can communicate only if both are located within the same domain. Setting the value of the AllowScriptAccess paramter in the PARAM or EMBED tag in an HTML page to "always" will allow a SWF file to communicate to an HTML page even if they are from different domains. This can result in attacks such as script injection, cross-domain privilege escalation, etc.

Comments

sidharthap’s picture

Can we just use allowScriptAccess value as sameDomain. Here is the reference link.
About flash security : https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project
About the flash parameter : http://blog.watchfire.com/FPI.pdf

Thanks
Sidhartha

heddn’s picture

Status: Active » Closed (works as designed)

Two things here:

Marking as working as designed, since this can't be fixed in the Drupal module, since this is libraries wrapper project. By design, it doesn't incorporate the upstream project directly.

gregoryo’s picture

note for anyone seeing this page, the upstream code from mediaelement.js has been patched to default to setting which will not trigger an OWASP security alert. c.f. https://github.com/johndyer/mediaelement/pull/1390