How to upgrade the GreenSockJS@2.1.2

[SJafar]

Hi I have just created a website with a theme (Intech). But in the LightHouse report it shows that there is 1 vulnerability for my website and that is, GreenSock@JS2.1.2. On investigating I found that this vulnerability can be fixed by upgrading GSAP on my website to 3.6.0 or higher. But as I have no idea on working with GSAP, can you please help me fix this vulnerability by upgrading GSAP to 3.6.0. URL of my website is : www.argustech.com

Waiting for your response.

[GreenSock]

We're not familiar with that theme, nor are we WordPress experts but have you tried reaching out to the theme author? It may be as easy as just loading an updated file. For example: 

 

<!-- OLD -->
<script type="1f5eb343ded359af44b520a5-text/javascript" src='https://www.argustech.com/wp-content/themes/intech/assets/js/TweenMax.min.js?ver=2.1.2' id='tween-max-js'></script>

<!-- NEW -->
<script src='https://cdnjs.cloudflare.com/ajax/libs/gsap/3.11.4/gsap.min.js'></script>

GSAP 3.x is mostly backwards compatible with TweenMax version 2. There's migration details here:

 

So depending on what your TweenMax code looks like, it really may be as simple as loading that updated file. There's a chance you'll have to make minor adjustments to some of the animations to use the newer/simpler API. 

 

But honestly in my experience, those "vulnerability" complaints are largely bogus. Some "security experts" nit-pick super minor things that'd never affect any real-world users and then they ask for bounties for their advice.

 

According to your report, they're pointing to this: https://security.snyk.io/vuln/SNYK-JS-GSAP-1054614 but unless I'm totally misunderstanding something, the "vulnerability" they're reporting isn't something that GSAP is exposing at all - if a hacker wanted to do what they're describing, they can just do it directly. 

 

For example, the report claims that running a for...in loop that iterates over an Object for merging with another Object is the source of the problem, but any hacker who could tap into that for nefarious purposes could just as easily do exactly the same thing themselves (a for...in loop). So it seems rather silly to me. Maybe someone else here can explain what genuine danger it poses if an old version of GSAP had a for...in loop like that (a danger that doesn't exist if that old version of GSAP wasn't loaded). 🤷‍♂️