Overview

A security vulnerability has been recently discovered in several YUI .swf files. This vulnerability impacts all versions of YUI from YUI 3.0.0 through 3.10.0. Please read this bulletin carefully and take note of the instructions to remove this vulnerability from your own implementations.

Details

Aleksandr Dobkin and Sebastian Roschke of the Google Security Team recently found XSS vectors in .swf files used in the IO Utility and Uploader components. A carefully constructed URL accessing these .swf files directly could cause them to execute JavaScript in the context of the hosted .swf files and potentially expose cookies or other sensitive information from the hosted site.

The YUI team has taken steps to remove this vulnerability from our CDN, hosted .zip files, and npm packages by replacing the affected .swf files with patched ones that do not allow arbitrary strings to be passed in and executed in the manner that the vulnerability exposes.

Resolution

Delete the Files

If you are hosting these .swffiles but are not using them, simply delete the .swf files to resolve the vulnerability.

Use the Yahoo! CDN

If you load these assets from the Yahoo! CDN, we have already patched all vulnerable files, and no further action is necessary.

Replace the Vulnerable Files

If you host and use this functionality, refer to the table below for information on downloading replacements for the affected files. Make sure you scan all your hosts for all versions of these files.

Special Thanks

A big thank you to Aleksandr Dobkin and Sebastian Roschke of the Google Security Team who reported this to us.

Support

Our Security page has information about how to contact us regarding security-related issues.

Table of Contents

• Overview
• Details
• Resolution
• Special Thanks
• Support