Pym.js Security Alert

A security vulnerability has been discovered in Pym.js http://blog.apps.npr.org/pym.js/, a popular public media project that allows iframes to be responsively embedded on web pages. The security vulnerability in Pym.js is present from versions 0.4.2 (Released on April 24th 2015) to version 1.3.1 (Feb 12th 2018).

Note that if you’re using our Pym.js CDN, you’re good. We’ve already pushed out a fix.

The severity of the security vulnerability is high. You should upgrade all projects that use Pym.js as soon as possible.

We will file a public distributed CVE (Common Vulnerabilities and Exposures) early on the week of Feb 19th 2018 with more details about the vulnerability.

How do I fix it?

All users of pym.js must upgrade to 1.3.2. The easiest way to ensure you’re up-to-date is to use our CDN version that’s already patched and will continue to be updated.

Pym.js most recent version is backwards compatible to all previous versions until version 0.1.1 (Released in June 18th 2014)

Scenario 1 - Your projects use a pym version newer than release 0.1.1:

  • Replace your pym.js library reference (both in the parent and the child) with the minified or unminified version in the CDN (recommended to stay up-to-date with patches and new functionality). If you still prefer to use a local version of Pym then replace your Pym.js library with the new version 1.3.2.
  • Redeploy your projects

Scenario 2 - Your projects use a pym version older than release 0.1.1:

  • Replace your pym.js library reference (both in the parent and the child) with the minified or unminified version in the CDN (recommended to stay up-to-date with patches and new functionality).
  • If you still prefer to use a local version of Pym then replace your Pym.js library with the new version 1.3.2.
  • Since the functionality of this version of pym was more limited but incompatible you’ll need to go through your child (the embedded page) javascript code and search for sendHeightToParent() calls and replace them with sendHeight() that should be all in terms of code changes.
  • Redeploy your projects

Note: If you can not do any of the things above please remove your code from production until you can address it.

I do not have access to my CMS what should I do?

Contact your sysadmins/technical support and send them a link to this post giving it the maximum priority.

Never miss a gig

Join the Visuals Gigs mailing list to get an email when we post internships and full-time jobs.

Your membership will be kept confidential.

 
Image

Trump's 2016 Victory Speech, Annotated 1 Year Later

Much has changed in the year since Donald Trump gave his election night victory speech. Journalists across the NPR newsroom have annotated his remarks in retrospect, providing context and analysis to his policy promises and noting who, among the people he thanked, is still in the inner circle.

Carebot

Meaningful analytics for journalism.

Elex

A command-line tool to get election results from the Associated Press Election API v2.0. Elex is designed to be friendly, fast and agnostic to your language/database choices.

Pym.js

A JavaScript library for responsive iframes.

 

On The Team Blog

February 15, 2018

Pym.js Security Alert

A high severity security vulnerability has been found in previous versions of Pym.js, please upgrade as soon as possible

More