CVE-2022-37617 Pollution vulnerability in thlorenz browserify-shim 3.8.15 via k variable in resolve-shims.js.

Resolve-shims.js is a registry of shimming functions to resolve specific browser bugs. For example, if you encounter a specific issue with a function that is bound in a certain syntax, you can shim that function to resolve that issue. Webpack has a built-in function called resolve that can be used to resolve issues whenever a module is required. However, Webpack does not currently have a way to resolve issues when a shim is required. This means we have to patch Webpack directly to resolve the issues. The first step is to create a shim for resolve in resolve-shims.js. The k variable in resolve-shims.js can be used to patch Webpack with a function that shims resolve .

create a shim for resolve in resolve-shims.js

The first step is to create a shim for resolve in resolve-shims.js. The k variable in resolve-shims.js can be used to patch Webpack with a function that shims resolve .

Build Webpack with Shims npm install Webpack --save-dev

const path = require('path');
var webpack = require('webpack');
var resolveShims = require('./resolve-shims.js');
// shim `require` to resolve all issues
webpack.patch.transform(resolveShims, {});

Fixing the issue and adding a shim for resolve

The second step is to create a shim for resolve in resolve-shims.js. The k variable in resolve-shims.js can be used to patch Webpack with a function that shims resolve .
The third step is to add the new function to Webpack's built-in functions and plugins list.

Configure Webpack to use resolve-shims.js

To configure Webpack to use resolve-shims.js, you need to make the following changes:
1) Create a file called webpack.config.js
2) Add the following line in that file:
plugins: [ new webpack.loaders.shim(ResolveShim, []), ]
3) Add the following require at the top of your webpack.config.js file:
require('resolve-shims')

Timeline

Published on: 10/11/2022 23:15:00 UTC
Last modified on: 10/13/2022 15:35:00 UTC

References

• https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L158
• https://github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.js#L130
• https://github.com/thlorenz/browserify-shim/issues/245
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37617