CVE-2019-18841

Name of the Vulnerable Software and Affected Versions Chartkick.js versions 3.1.0 through 3.1.3 @polymer/polymer versions prior to 3.2.0

Description The issue allows prototype pollution, which can be achieved through chart options containing a malicious payload, such as {" proto ": {"polluted": true}}. Additionally, loading data from a malicious server can also lead to the same results.

Recommendations For Chartkick.js versions 3.1.0 through 3.1.3, upgrade to a version outside of this range to mitigate the issue. For @polymer/polymer versions prior to 3.2.0, upgrade to version 3.2.0 or later.