Noticed that the last update to Flare mentioned a security patch.
Digging into that, it's an update to require.js, moving from 2.3.6 to 2.3.7
This one is bad and the vulnerability has been known since June / July of last year. I can't believe that they're only getting around to patching it now and that they haven't made more of an effort to let customers know. Until I started digging into this, I also didn't know about an earlier vulnerability: https://www.blackduck.com/blog/cyrc-adv ... ck-hub.htm
Our customers are extremely security conscious and now we're going to have egg on face as we explain this to them. I understand that security vulnerabilities happen, but I'm beyond ticked that Madcap didn't patch this one faster and that they didn't do a better job of communicating it.
Require.js Security Vulnerability
-
BedfordWriter
- Sr. Propeller Head
- Posts: 231
- Joined: Wed Jun 23, 2010 10:13 am
- Location: Nova Scotia
Re: Require.js Security Vulnerability
Yup. There is also a DOMPurify patch that I found out about here - viewtopic.php?t=34821
Seems to me like it was only communicated to people who reported it or had a ticket open etc.
Very bad communication from MadCap on this and considering they seemingly want to see more and more use of MadCap/Flare Central then having security flaws in the output that will be hosted there seems as if it should concern them greatly.
MadCap you need a Community Manager who actually speaks to people on the Forums and on Slack.
Seems to me like it was only communicated to people who reported it or had a ticket open etc.
Very bad communication from MadCap on this and considering they seemingly want to see more and more use of MadCap/Flare Central then having security flaws in the output that will be hosted there seems as if it should concern them greatly.
MadCap you need a Community Manager who actually speaks to people on the Forums and on Slack.
-
BedfordWriter
- Sr. Propeller Head
- Posts: 231
- Joined: Wed Jun 23, 2010 10:13 am
- Location: Nova Scotia
Re: Require.js Security Vulnerability
AlexFox wrote: Tue May 06, 2025 7:12 am Yup. There is also a DOMPurify patch that I found out about here - viewtopic.php?t=34821
Seems to me like it was only communicated to people who reported it or had a ticket open etc.
Very bad communication from MadCap on this and considering they seemingly want to see more and more use of MadCap/Flare Central then having security flaws in the output that will be hosted there seems as if it should concern them greatly.
MadCap you need a Community Manager who actually speaks to people on the Forums and on Slack.
-
BedfordWriter
- Sr. Propeller Head
- Posts: 231
- Joined: Wed Jun 23, 2010 10:13 am
- Location: Nova Scotia
Re: Require.js Security Vulnerability
Thanks for the info.
Given that it seems we cannot trust Madcap to be proactive about security, I've dug through a recent documentation build to compile a list of included third-party js libraries. We're going to monitor these ourselves and will apply our own patches as required while waiting for security fixes from Madcap.
I'd be very grateful if anyone can add to this list if I missed any.
jQuery v3.7.1 | (c) OpenJS Foundation and other contributors | jquery.org/license *
RequireJS 2.3.7 Copyright jQuery Foundation and other contributors.
FOUNDATION_VERSION = '6.2.3'; * Foundation Responsive Library
DOMPurify 3.2.4 | (c) Cure53 and other contributors
Given that it seems we cannot trust Madcap to be proactive about security, I've dug through a recent documentation build to compile a list of included third-party js libraries. We're going to monitor these ourselves and will apply our own patches as required while waiting for security fixes from Madcap.
I'd be very grateful if anyone can add to this list if I missed any.
jQuery v3.7.1 | (c) OpenJS Foundation and other contributors | jquery.org/license *
RequireJS 2.3.7 Copyright jQuery Foundation and other contributors.
FOUNDATION_VERSION = '6.2.3'; * Foundation Responsive Library
DOMPurify 3.2.4 | (c) Cure53 and other contributors