GHSA-pg98-6v7f-2xfv: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-pg98-6v7f-2xfv) affects sweetalert2, a JavaScript popup box replacement library, in versions 9.17.4 to 10.0.0. The issue involves hidden functionality that was introduced by the maintainer, where the package outputs unauthorized audio and/or video messages that are not part of the package's core functionality. This vulnerability was published on November 23, 2022, and last updated on January 11, 2023 (GitHub Advisory).

The vulnerability is classified as CWE-912 and has been assigned a Low severity rating. The issue specifically manifests as unexpected audio and/or video outputs that were not present in versions 9.0.0 through 9.17.3. This hidden functionality was intentionally introduced by the maintainer and affects the package's normal operation (GitHub Advisory).

The impact includes unexpected behavior in applications using the affected versions, specifically unauthorized audio and/or video messages being played. For certain domain zones (.ru, .su, .by, and .рф), the package is known to block website navigation and play the national anthem of Ukraine, behavior classified as protestware (NPM Package).

Users are advised to use versions between 9.0.0 and 9.17.3 of the package until a fix is released by the maintainer. No other workarounds are currently available (GitHub Advisory).

The release containing this functionality (v11.4.9) received mixed reactions on GitHub, with various emoji reactions including thumbs up, laugh, hooray, and eyes from the community (SweetAlert2 Release).