Published: 2017/06/28  Last Updated: 2017/06/28

Information from Yuki Hattori

Vulnerability ID:JVN#21174546
Title:Marp vulnerable to improper access control in JavaScript execution

This is a statement from the vendor itself with no modification by JPCERT/CC.

Marp v0.0.10 or earlier have this vulnerability. Please refer below GitHub issue for more details:

In v0.0.11, we have disabled accessing local resources from JavaScript. This behavior would relax reported vulnerable.

Markdown slides using external JavaScript library on web would continue to work. (e.g. drawing charts)
To avoid unexpected web accessing to external resource by JavaScript, please be careful below.

- Don't use script tag and iframe tag in Markdown
- Don't open attached Markdown on not-trusted mail
- Don't open downloaded/copied Markdown from the suspicious site