Hi, The simpler stuff to close CVE-2025-1647 is to drop IE8 support (that do not support CreateHTMLDocument) and use directly and incontionnaly CreateHTMLDocument ANother possibility is to test if class if DOMImplementation type Injection is here: https://sources.debian.org/src/twitter-bootstrap3/3.4.1%2Bdfsg-4/js/tooltip.js/#L111 Beuc what is your point of view ? rouca
Attachment:
signature.asc
Description: This is a digitally signed message part.