Hi, we are a security team. We found a prototype pollution vulnerability in your project.

The issue affects workbox-window in WorkboxEvent.

The vulnerable behavior happens because WorkboxEvent can be invoked with a controlled this context and then uses Object.assign(this, props). If this is bound to Object.prototype, global prototype pollution may occur.

Impact

An attacker may be able to pollute the global prototype and affect other objects in the same runtime.

Proof of concept

const { WorkboxEvent } = require('workbox-window');

WorkboxEvent.call(Object.prototype, 'type', { polluted: true });

console.log(({}).polluted); // true

Details

We confirmed the following case:

• sink: ./utils/WorkboxEvent.js:18

The root cause is that attacker-controlled execution context and properties are passed into a direct object assignment targeting shared prototype objects.