Running with Scissors: The Dangers of Cutting and Pasting Sample CodeMay 02, 2018 | Simon Zuckerbraun
As a developer, you are a busy person and have no time for writing such a polyfill. Fear not! The Mozilla website provides this example for everyone to use:
While this code example provides the needed functionality to the otherwise unsupported browsers, it also introduces a security vulnerability. The specific flaw exists due to the use of
eval on line 3, which can produce unwanted script execution. In cases where an attacker is in a position to send phony “JSON” data that will arrive and be parsed by this polyfill, the attacker can inject arbitrary script, better known as Cross Site Scripting (XSS). An attacker can leverage this vulnerability to disclose information or perform other actions under the context of the victim domain.
The dangerous code was removed in revision 31806 on March 30, 2012 but was subsequently added back in revision 31810 on April 12 of that same year. After we disclosed this problem to Mozilla, this sample was removed again with revision 1370011 on March 28, 2018. Hopefully, this time it stays gone. That final revision includes the note, “Remove polyfill for JSON - only needed for IE < 8, and they often have security vulnerabilities.” An accurate statement if ever there was one.
JSON isn’t natively supported in IE versions prior to IE8, and those versions of IE are no longer supported by Microsoft. While these old, unsupported browsers do still see some usage, developers should not be coding for them. Let’s face it, if you’re running IE6, a polyfill for a JSON object should be pretty low on your list of concerns. This is also a reminder that when you cut-and-paste code from the internet – even from reputable sites – you inherit any vulnerabilities that may exist in that code. Always review it carefully to ensure you understand the security risk when you accept code from online resources.