Package: debian-security-support Version: 2020.04.16 Severity: normal X-Debbugs-Cc: [email protected], [email protected], [email protected]
mozjs68 has essentially the same security status as mozjs60, and I'm not sure how realistic it is to expect it to be safe for use with untrusted content. The GNOME team mainly maintains it as a dependency of gjs, where this restriction is not a problem because the JavaScript code is fully trusted anyway (JavaScript as an alternative to Python etc., rather than JavaScript as a sandboxed language like its use on the web). Note that this conflicts somewhat with the existence of libproxy1-plugin-mozjs, which uses mozjs68 to parse proxy autoconfiguration files; but that isn't a regression, because older versions of libproxy1-plugin-mozjs used mozjs60 or older, which have the same limited security support. I'm not sure whether there is any reasonable threat model where PAC is *completely* untrusted content, but I'm not sure whether it can be considered to be completely trusted either? libproxy1-plugin-mozjs doesn't actually *work* in non-trivial cases (https://github.com/libproxy/libproxy/issues/119), it has a popcon score of 108 installations, and mozjs68 appears to be less portable than WebKitGTK in practice, so perhaps it would make sense to just remove that plugin. smcv

