While this doesn't appear to directly result in a vulnerability in this module, the bundled YUI library is deprecated and has known vulnerabilities externally.
A RetireJS scan of this module turned up:
severity: high; CVE: CVE-2012-5882; http://www.cvedetails.com/cve/CVE-2012-5882/
severity: high; CVE: CVE-2012-5881; http://www.cvedetails.com/cve/CVE-2012-5881/
severity: medium; CVE: CVE-2010-4710; http://www.cvedetails.com/cve/CVE-2010-4710/
severity: high; CVE: CVE-2010-4208; http://www.cvedetails.com/cve/CVE-2010-4208/
severity: high; CVE: CVE-2010-4207; http://www.cvedetails.com/cve/CVE-2010-4207/
You can see this by:
1. Downloading this module package
2. Running RetireJS against the contents
3. Validating the results against the CVE database.
As OWASP A-9 "Using components with known vulnerabilities" is a real concern, this should probably get fixed, as the longer this legacy library sits there, the greater the chance that vulnerabilities arise.
Comments
Comment #2
hass CreditAttribution: hass commentedOnly non-bundled .SWF files have issues.