CVE-2021-26505

Name of the Vulnerable Software and Affected Versions MrSwitch hello.js versions 1.18.6 through 1.18.7

Description A prototype pollution issue allows remote attackers to execute arbitrary code via the hello.utils.extend function. This enables attackers to manipulate the prototype chain, potentially leading to code execution. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For MrSwitch hello.js versions 1.18.6 through 1.18.7, update to version 1.18.8 or later to resolve the issue. As a temporary workaround, consider disabling the hello.utils.extend function until a patch is available. Restrict access to the hello.utils.extend function to minimize the risk of exploitation.