Pym.js security alert

A security vulnerability has been discovered in Pym.js http://blog.apps.npr.org/pym.js/, a popular public media project that allows iframes to be responsively embedded on web pages. The security vulnerability in Pym.js is present from versions 0.4.2 (Released on April 24th 2015) to version 1.3.1 (Feb 12th 2018).

Note that if you’re using our Pym.js CDN, you’re good. We’ve already pushed out a fix.

The severity of the security vulnerability is high. You should upgrade all projects that use Pym.js as soon as possible.

We will file a public distributed CVE (Common Vulnerabilities and Exposures) early on the week of Feb 19th 2018 with more details about the vulnerability.

How do I fix it?

All users of pym.js must upgrade to 1.3.2. The easiest way to ensure you’re up-to-date is to use our CDN version that’s already patched and will continue to be updated.

Pym.js most recent version is backwards compatible to all previous versions until version 0.1.1 (Released in June 18th 2014)

Scenario 1 - Your projects use a pym version newer than release 0.1.1:

  • Replace your pym.js library reference (both in the parent and the child) with the minified or unminified version in the CDN (recommended to stay up-to-date with patches and new functionality). If you still prefer to use a local version of Pym then replace your Pym.js library with the new version 1.3.2.
  • Redeploy your projects

Scenario 2 - Your projects use a pym version older than release 0.1.1:

  • Replace your pym.js library reference (both in the parent and the child) with the minified or unminified version in the CDN (recommended to stay up-to-date with patches and new functionality).
  • If you still prefer to use a local version of Pym then replace your Pym.js library with the new version 1.3.2.
  • Since the functionality of this version of pym was more limited but incompatible you’ll need to go through your child (the embedded page) javascript code and search for sendHeightToParent() calls and replace them with sendHeight() that should be all in terms of code changes.
  • Redeploy your projects

Note: If you can not do any of the things above please remove your code from production until you can address it.

I do not have access to my CMS what should I do?

Contact your sysadmins/technical support and send them a link to this post giving it the maximum priority.

 

Dailygraphics Next

One-stop tooling for creating responsive news graphics from a range of D3-based templates

Sidechain

Responsive iframes for modern browsers

Interactive Template

A modern site generator with live reload and support for loading data from ArchieML, Google Docs/Sheets, CSV, JSON, and more

 

On The Team Blog

More