FS#41582 - [elinks] JavaScript support has many known vulnerabilities

Attached to Project: Community Packages
Opened by Daniel Micay (thestinger) - Sunday, 17 August 2014, 10:20 GMT
Last edited by Eli Schwartz (eschwartz) - Monday, 07 August 2017, 00:00 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Kyle Keen (keenerd)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

There are dozens of known and unfixed security holes in SpiderMonkey 1.8.5, so running untrusted code with it isn't going to turn out well. JavaScript support should be left out in these web browsers unless it gets updated to use the maintained SpiderMonkey version. It's not possible for users to make use of this feature securely.
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Monday, 07 August 2017, 00:00 GMT
Reason for closing:  Fixed
Additional comments about closing:  elinks 0.13-19

https://www.archlinux.org/todo/remove-js 185-from-the-repos/
Comment by Kyle Keen (keenerd) - Sunday, 17 August 2014, 13:02 GMT
I've been working on patching elinks for a newer spidermonkey for a while. 17.0.0 has been a lot easier than 24.X.X in this migration, is that version acceptable for you?
Comment by Daniel Micay (thestinger) - Sunday, 17 August 2014, 13:23 GMT
If we were using the ESR branch of v17 like Debian, it'd be fine, but what we have now has unfixed vulnerabilities. The ESR branch is a working option in the short term but it will eventually become fully unmaintained too.
Comment by Alexander F. Rødseth (xyproto) - Sunday, 24 August 2014, 17:15 GMT
Both Netsurf and Elinks has javascript disabled by default, which reduces the immediacy somewhat.

I agree that the javascript engines should be updated or disabled.
Comment by Alexander F. Rødseth (xyproto) - Wednesday, 27 August 2014, 20:22 GMT
Disabled javascript in netsurf and updated the package. Removing myself from the list of assignees.

Loading...