Critical Swiper JS Vulnerability Disclosed

- The vulnerability, present in Swiper JS versions 6.5.1 through 12.1.1, is located in the `shared/utils.mjs` file and allows for the pollution of `Object.prototype` through a crafted input using `Array.prototype`. This method bypasses a previous, insufficient patch that only checked for forbidden keys. - A fix for this vulnerability has been released in version 12.1.2 of Swiper JS. The exploit has been demonstrated to be effective across both Windows and Linux operating systems, as well as on Node.js and Bun runtimes. - Prototype pollution is a JavaScript-specific vulnerability where an attacker can modify the base object's prototype. Because of JavaScript's inheritance model, these malicious modifications can then propagate to all objects within an application, potentially leading to a variety of attacks. - The exploitability of this flaw is heightened because it doesn't require any special privileges or user interaction to be executed. This could lead to severe consequences such as authentication bypass, denial of service (DoS), or even remote code execution (RCE), depending on how the application uses the polluted objects. - Swiper is a widely-used JavaScript library for creating touch-enabled sliders and carousels, and is implemented on the websites of numerous major companies, including Verizon, Hyundai, and Patagonia. Its popularity means a vast number of web applications could be at risk if they haven't updated to the patched version. - The vulnerability stems from how the Swiper library processes user-controlled input. A malicious actor can provide a crafted input, often in the form of a JSON object with a `__proto__` key, to a function that merges it with an existing object, thereby "polluting" the prototype.