higuma web-audio-recorder-js Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in higuma web-audio-recorder-js versions 0.1 and 0.1.1. The issue arises in the 'extend' function within the 'lib/WebAudioRecorder.js' file, where the library's dynamic configuration handling improperly sanitizes object prototype attributes. This flaw allows for remote exploitation, although such attacks are considered complex and difficult to execute. The vulnerability has been publicly disclosed, and an exploit is available.

Impact

Exploitation of this vulnerability allows for prototype pollution, where an attacker can manipulate the Object.prototype, potentially leading to unexpected behavior in the application or environment.

Reproduction

The vulnerability can be reproduced by creating a 'WebAudioRecorder' instance and passing a configuration object that includes unsanitized property names such as '__proto__'. This can be done by crafting a payload that exploits the 'extend' function's lack of input validation, effectively polluting the global Object.prototype.