GHSA-w364-8vfv-gvf5
GitHub Security Advisory
Downloads Resources over HTTP in phantomjs-cheniu
Advisory Details
Affected versions of `phantomjs-cheniu` insecurely download an executable over an unencrypted HTTP connection.
In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `phantomjs-cheniu`.
## Recommendation
No patch is currently available for this vulnerability.
As this package is just a fork of Medium's [`phantomjs-prebuilt`](https://github.com/Medium/phantomjs) package, the best mitigation is currently to install the `Medium` version of [`phantomjs-prebuilt`](https://github.com/Medium/phantomjs). This can be done via the following command:
```
npm i phantomjs-prebuilt
```
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.