SRI checks are not performed.
under review
Ramesh Lokesh
One of the customer has mentioned that they are reporting a moderate vulnerability because the sub resource integrity (SRI) checks are not being performed on Document360 for their hosting at support.nvoq.com.
The customer would like to include the SRI checks in our testing process.
Log In
Mark Beans
Hi... SRI checks have nothing at all to do with your testing processes. Please read the materials we provided on this when this ticket was opened.
Mark Beans
Hi, this ticket was opened in May. You responded in August saying this is under review. The only thing we have heard back on this over the last 3 months is an email to close our support ticket. What is the status of this?
Thiru
under review
Thiru
Angie Linder thanks for sharing more details on this. We will have this evaluated with our Engineering folks on this, and keeo you posted.
Angie Linder
Sub Resource Integrity (SRI) checks are used to hash the pages that we publish on your platform, so if your platform is hacked we would see that our pages or scripts have been modified. The Cybersecurity company we engaged for our annual pen test insisted that this is a "Medium" risk vulnerability and they reflected that in their pen test report:
5.1 Subresource Integrity Checks Not Performed
Risk: Moderate
Subresource integrity (SRI) ensures that browsers check that resources they fetch from third parties are delivered without having been manipulated. A hash of the resource file is stored and compared against the requested resource to ensure they match. These checks protect against a scenario whereby an attacker gains control of a content delivery network (CDN) and alters or replaces the files requested by the CDN’s customers.
Here is a link describing this:
Here are some additional links related to this: