[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Drop support of IE8 and browser before 2015 in order to close CVEs ?



Hi,

The simpler stuff to close CVE-2025-1647 is to drop IE8 support (that do not support CreateHTMLDocument) and use directly and incontionnaly CreateHTMLDocument

ANother possibility is to test if class if DOMImplementation type

Injection is here:
https://sources.debian.org/src/twitter-bootstrap3/3.4.1%2Bdfsg-4/js/tooltip.js/#L111

Beuc what is your point of view ?

rouca

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: