I’m not an engineer, but I had this information passed on by our engineering team. We had a Penetration test failure, due to our Heap installation.
`The application may be vulnerable to DOM-based cookie manipulation. Data is read from document.referrer and passed to document.cookie.`
`The application may be vulnerable to DOM-based client-side JSON injection. Data is read from document.cookie and passed to JSON.parse. `
I’m trying to make the business case for upgrading our account, but it looks like we’ll need to remove Heap from the app, until this is resolved.
Is there an alternative approach to the installation or some sort of settings that we can adjust to fix this?
Thank you.