Information from Yuki Hattori
Vulnerability ID:JVN#21174546
Title:Marp vulnerable to improper access control in JavaScript execution
Status:Vulnerable
This is a statement from the vendor itself with no modification by JPCERT/CC.
Marp v0.0.10 or earlier have this vulnerability. Please refer below GitHub issue for more details:
https://github.com/yhatt/marp/issues/187
In v0.0.11, we have disabled accessing local resources from JavaScript. This behavior would relax reported vulnerable.
Markdown slides using external JavaScript library on web would continue to work. (e.g. drawing charts)
To avoid unexpected web accessing to external resource by JavaScript, please be careful below.
- Don't use script tag and iframe tag in Markdown
- Don't open attached Markdown on not-trusted mail
- Don't open downloaded/copied Markdown from the suspicious site