WS-2015-0017 - Medium Severity Vulnerability

Vulnerable Libraries - uglify-js-2.4.24.tgz, uglify-js-2.2.5.tgz

uglify-js-2.4.24.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

path: /lethargy/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.4.24.tgz

Dependency Hierarchy:

• ❌ uglify-js-2.4.24.tgz (Vulnerable Library)

uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

path: /lethargy/node_modules/ruglify/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Dependency Hierarchy:

• ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

Step up your Open Source Security Game with WhiteSource here

I'm getting multiple false positives on following browsers:

• Latest Brave Version 1.44.101 Chromium: 106.0.5249.65 (Official Build) (x86_64)
• Safari Version 16.0 (17614.1.25.9.10, 17614)
• Firefox 105.0.1

On single macbook trackpad swipe, console.log output looks like this:
https://share.cleanshot.com/g6lloD

There is also a warning, that mousewheel event listener was added as passive, however that doesn't seem to be the issue. I tried fixing it locally and issue persists.

Thank you

WS-2016-0039 - High Severity Vulnerability

Vulnerable Library - shell-quote-0.0.1.tgz

quote and parse shell commands

path: /lethargy/node_modules/shell-quote/package.json

Library home page: http://registry.npmjs.org/shell-quote/-/shell-quote-0.0.1.tgz

Dependency Hierarchy:

• ❌ shell-quote-0.0.1.tgz (Vulnerable Library)

Vulnerability Details

The npm module "shell-quote" cannot correctly escape "greater than" and "lower than" operator used for redirection in shell. This might be possible vulnerability for many application which depends on shell-quote.

Publish Date: 2016-06-21

URL: WS-2016-0039

CVSS 2 Score Details (8.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/117

Release Date: 2016-06-21

Fix Resolution: Upgrade to at least version 1.6.1

Step up your Open Source Security Game with WhiteSource here

WS-2015-0024 - High Severity Vulnerability

Vulnerable Library - uglify-js-2.2.5.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

path: /lethargy/node_modules/ruglify/node_modules/uglify-js/package.json

Library home page: http://registry.npmjs.org/uglify-js/-/uglify-js-2.2.5.tgz

Dependency Hierarchy:

• ❌ uglify-js-2.2.5.tgz (Vulnerable Library)

Vulnerability Details

UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.

Publish Date: 2015-08-24

URL: WS-2015-0024

CVSS 2 Score Details (8.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/39

Release Date: 2015-08-24

Fix Resolution: Upgrade UglifyJS to version >= 2.4.24.

Step up your Open Source Security Game with WhiteSource here

I have a scrolljacking feature on the homepage of this site:
http://mischiefsitereview.com/gpee

I had a lot of trouble normalizing the scroll events triggered by a trackpad vs a mouse wheel, but lethargy was exactly what I needed.

The only issue I'm having is that on Google Chrome on Windows, it doesn't seem to be recognizing when a mouse wheel is being turned. I have it console logging each time it recognizes the event. The threshold is 10. If you open the console on that site and watch as you scroll with a mouse wheel, it seems to randomly stagger the events.

Here's what I'm working with:

var $ = jQuery,
	delta = 0,
	currentSlideIndex = 0,
	scrollThreshold = 10,
	slides = $('.slide').toArray(),
	numSlides = slides.length,
	paginationItems = $('#pagination span').toArray(),
	homeTransitioned = false,
	lethargy = new Lethargy();

var animateHome = function() {
	$('#ed, #quest, #star, #big-star').addClass('transitioned');
	homeTransitioned = true;
}

var resetHome = function() {
	window.setTimeout(function() {
		$('#ed, #quest, #star, #big-star').removeClass('transitioned');
		homeTransitioned = false;
	}, 500);
}

function elementScroll (e) {
	// console.log(e.originalEvent);
	if (window.innerWidth >= 992) {
		// Prevent page from scrolling
		if (currentSlideIndex != numSlides || $(window).scrollTop() + 95 < $('#vignettes').offset().top) {
		    e.preventDefault();
		    e.stopPropagation();
		}
		
		if (currentSlideIndex === numSlides) {
			checkPaginationTop();
		}
	        // --- Scrolling up ---
		// if (e.originalEvent.deltaY < 0 || e.originalEvent.wheelDelta > 0 || e.originalEvent.detail < 0) {	
		if (lethargy.check(e) !== false) {
			
			if (lethargy.check(e) == 1) {
				if ($(window).scrollTop() + 95 <= $('#vignettes').offset().top) {
		            if ($('#wrap').hasClass('active') && $('.vignette:nth-of-type(1)').offset().top >= 95) {
		                $('#wrap').removeClass('active');
		                $('#pagination span.active').removeClass('active');
		                $('#pagination span[data-scroll="3"]').addClass('active');
		            }
		            
		        	delta--;
		
		    		if ( Math.abs(delta) >= scrollThreshold && $('.vignette:nth-of-type(1)').offset().top >= 95) {
		    		    prevSlide();
		    		}
		        }
			}
			
			// --- Scrolling down ---
			else if (lethargy.check(e) == -1) {
		        if (currentSlideIndex < numSlides) {
		        	delta ++;
		        	console.log(delta);
		            
		    		if (delta >= scrollThreshold && currentSlideIndex != 0) {
		            	nextSlide();
		    		} else if (delta >= scrollThreshold && currentSlideIndex === 0) {
		    			delta = 0;
		    			animateHome();
		    			window.setTimeout(nextSlide, 700);
		    		}
		        } else if (currentSlideIndex === numSlides) {
		            if (!$('#wrap').hasClass('active')) {
		                $('#wrap').addClass('active');
		                nextSlide();
		            }
		        }
				
			}
	        
		}
	}
}

function checkPaginationTop() {
	// console.log($('#vignettes').offset().top, $('.vignette:nth-of-type(1)').offset().top);
	
	for (var i=1; i < 9; i++) {
		if ( $('.vignette:nth-of-type('+i+')').offset().top <= $('#vignettes').offset().top + (window.innerHeight/3)
				&& $('.vignette:nth-of-type('+i+')').offset().top > $('#vignettes').offset().top) {
			$('#pagination span.active').removeClass('active');
			$(paginationItems[i + 3]).addClass('active');
		}
	}
}


function showSlide() {

	// reset
	delta = 0;

	$.each(slides, function(i, slide) {
	    if (currentSlideIndex < numSlides) {
	        $(slide).toggleClass('active', (i >= currentSlideIndex));
	    }
		
	});
	
	if (currentSlideIndex === 0) {
		resetHome();
	}

}


function prevSlide() {

	currentSlideIndex--;

	if (currentSlideIndex < 0) {
		currentSlideIndex = 0;
	}
	
	$('#pagination span.active').toggleClass('active');
	$(paginationItems[currentSlideIndex]).toggleClass('active');

	showSlide();
}

function nextSlide() {
	currentSlideIndex++;

	if (currentSlideIndex > numSlides) { 
		currentSlideIndex = numSlides;
	}
	
	$('#pagination span.active').toggleClass('active');
	$(paginationItems[currentSlideIndex]).toggleClass('active');

	showSlide();
}

function skipToSlide(i) {
	
	var i = parseInt(i);
	console.log(currentSlideIndex, i);
	if ((currentSlideIndex < i || currentSlideIndex > i) && currentSlideIndex != numSlides) {
		currentSlideIndex = i + 1;
		prevSlide();
	} else if (currentSlideIndex === numSlides) {
		currentSlideIndex = i - 1;
		nextSlide();
		
	}
}

function keypress(e) {
	e = e || window.event;
	// console.log(e);
	
	if (e.keyCode == '38' && currentSlideIndex > 0 && currentSlideIndex != numSlides) {
		prevSlide();
	} else if (e.keyCode == '38' && currentSlideIndex === numSlides && $(window).scrollTop() + 95 <= $('#vignettes').offset().top) {
		if ($('#wrap').hasClass('active')) {
            $('#wrap').removeClass('active');
            prevSlide();
		} else {
			prevSlide();
		}
	} else if (e.keyCode == '40' && currentSlideIndex != numSlides - 1) {
		nextSlide();
	} else if (e.keyCode == '40' && currentSlideIndex === numSlides - 1) {
		
		if (!$('#wrap').hasClass('active')) {
            $('#wrap').addClass('active');
            nextSlide();
        }
	} else {
		return false;
	}
}

$(window).bind('mousewheel DOMMouseScroll wheel MozMousePixelScroll', elementScroll);
$(window).bind('keydown', keypress);

It's a little messy and complicated because only part of the page is scrolljacked. The important bit with lethargy is in the elementScroll function. Is this an issue you've seen before with lethargy?

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Libraries - minimatch-2.0.10.tgz, minimatch-0.2.14.tgz, minimatch-0.3.0.tgz

minimatch-2.0.10.tgz

a glob matcher in javascript

path: /lethargy/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Dependency Hierarchy:

• ❌ minimatch-2.0.10.tgz (Vulnerable Library)

minimatch-0.2.14.tgz

a glob matcher in javascript

path: /lethargy/node_modules/readdirp/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz

Dependency Hierarchy:

• ❌ minimatch-0.2.14.tgz (Vulnerable Library)

minimatch-0.3.0.tgz

a glob matcher in javascript

path: /lethargy/node_modules/flat-glob/node_modules/minimatch/package.json

Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Dependency Hierarchy:

• ❌ minimatch-0.3.0.tgz (Vulnerable Library)

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

Step up your Open Source Security Game with WhiteSource here

WS-2018-0075 - Medium Severity Vulnerability

Vulnerable Library - concat-stream-1.4.11.tgz

writable stream that concatenates strings or binary data and calls a callback with the result

path: /lethargy/node_modules/insert-module-globals/node_modules/concat-stream/package.json

Library home page: https://registry.npmjs.org/concat-stream/-/concat-stream-1.4.11.tgz

Dependency Hierarchy:

• ❌ concat-stream-1.4.11.tgz (Vulnerable Library)

Vulnerability Details

Versions of concat-stream before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into write()

Versions <1.3.0 are not affected due to not using unguarded Buffer constructor.

Publish Date: 2018-04-25

URL: WS-2018-0075

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

Hi @d4nyll,
It would be nice if you could publish the latest version (1.0.4) on npmjs? Do you think it's possible?
Thx! 👍

http://jsfiddle.net/q6reLg0v/
The jsfiddle demo is nice, but not of much use when testing custom options.

If you don't have the time to make a dynamic demo, can you tell a way on how to hijack the fiddle? I don't find the initialization of lethargy in the js-code there.

Thanks!

On Chrome (Windows) and with some speedy mouses (gamers one), lethargy stops to work because
we called _this.lethargy.check(e) several times in the same function.

You should update your example to tell people to store _this.lethargy.check(e) value
in a temp variable instead of using it more than on time.

Bad example, _this.lethargy.check(e) value can change between calls:

/**
 * Mousewheel
 * @return {[type]} [description]
 */
Page.prototype.onMousewheel = function(e){
    var _this = this;

    e.preventDefault();
    e.stopPropagation();

    if(_this.lethargy.check(e) !== false) {
        console.log('Lethargy');
        console.log(_this.lethargy.check(e));

        if (_this.lethargy.check(e) == 1 && _this.blockIndex > 0) {
            _this.switchBlock('up');
        }
        else if(_this.lethargy.check(e) == -1 && _this.blockIndex < _this.blockLength-1){
            _this.switchBlock('down');
        }
    }
};

Fixed example

/**
 * Mousewheel
 * @return {[type]} [description]
 */
Page.prototype.onMousewheel = function(e){
    var _this = this;

    e.preventDefault();
    e.stopPropagation();

    var check = _this.lethargy.check(e);

    if(check !== false) {
        console.log('Lethargy');
        console.log(check);

        if (check == 1 && _this.blockIndex > 0) {
            _this.switchBlock('up');
        }
        else if(check == -1 && _this.blockIndex < _this.blockLength-1){
            _this.switchBlock('down');
        }
    }
};

From the docs:

Lethargy focus on preventing false positives (saying it's a normal scroll event when it wasn't), but tolerates false negatives (saying it's not a normal scroll event when it is).

Isn't there a way to know when it is a normal scroll then ?

Using the demo page I can scroll for the first time and get only false values. Meaning "this is not a normal scroll" when in fact it is.

Hey @d4nyll, I am going to use lethargy in my project (thanks again, you're a life saver) and have started converting it to ES6 syntax (it was the only option due to my current setup). I was wondering what are your plans regarding the library, as I know you plan to refactor https://github.com/d4nyll/smartscroll to ES6 at some point.

I will gladly share my work here (translate to ES6 and add Babel to transpile to ES5) if you're willing to move away from coffee script. Please let me know your thoughts.

Hi.

Let me tell you've done a great job with this code. It works like a charm.

But there is a little problem when using it on firefox.

Chrome and Safari return -1 when going down and 1 when going up (expected behaviour) while Mozilla's browser does the opposite.

Hardware: Macbook Air
SO: OSX Yosemite
Using Firefox 37.0.2

I can solve this by using browser detection but maybe there is a simpler way to fix it from lethargy.js.

PD: I'm still learning to write in english.

Upon landing of a site, if a user scrolls up, it will have mixture of -1 and 1. Im using mac 10.11.2 El Capitan with Chrome 47. I have tried the script on your demo site and its the same.

Hi, I came across an issue when using default settings and desktop mouse. If I scroll slowly on with mouse wheel, these events are marked as inertial.

Even if I switch scroll direction to opposite, it continues to be detected as inertial (lethargy.check(ev) === false).

p.s.
I'm using a modified version of the jsfiddle demo from README.md. I added lethargy with default settings and differentiate inertial events by coloring them red and normal events as gray.

Does not appear to work with iOS devices in demo http://d4nyll.github.io/lethargy/.

Have you seen anything to tell if the device is triggering real scroll or momentum scrolling on touch devices?

Hi there,
this is a very nice library 👍 been struggling with these issues for a while.

Would you be interested in having this working standalone, without jQuery? Since it's not dependant on any jQuery feature, allowing to use e instead of e.originalEvent would do the trick.

Would you also be interested in making this npm (browserify) compatible? It just needs a proper package.json so you can publish on npm, since the source already has the exports variables.

I think those 2 propositions would make the library more easily accessible to a wide range of user.

Let me know, I can make a PR for each of those later.

There are three options you can specify with lethargy, but I find the defaults works fine. If you think the defaults does not work well for you, please post here to tell us which devices it _doesn't_ work well, and also which settings _does_ work well. Many thanks!

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.3.min.js

JavaScript library for DOM operations

path: /lethargy/with-jquery.html

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.3/jquery.min.js

Dependency Hierarchy:

• ❌ jquery-1.11.3.min.js (Vulnerable Library)

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: jquery/jquery@b078a62#diff-bee4304906ea68bebadfc11be4368419

Release Date: 2015-10-12

Fix Resolution: Replace or update the following files: script.js, ajax.js, ajax.js

Step up your Open Source Security Game with WhiteSource here

.. no matter how long the timeout is.
The issue occurs on trackpads (tested on different Macbooks)

After those initial up and down swipe it works perfectly across all tested devices.

Refreshed page: Console for inputs: "Down" > "Up" > "Down" > "Up"

var lethargy = new Lethargy(20, 40, 0.05); //  

// custom throttle 
var lethargyWait = false;
var lethargyTimeout = 500;

$(window).bind('mousewheel DOMMouseScroll wheel MozMousePixelScroll', function(e) {
    e.preventDefault()
    e.stopPropagation();

    var result = lethargy.check(e);

    if(result != false && lethargyWait != true) {

	console.log(result);
			
	if (result < 0) nextPanel();
	else if (result > 0) prevPanel();

	lethargyWait = true;
	setTimeout(function() {
		lethargyWait = false; 
	}, lethargyTimeout);

    }
});

Hi,

I am attempting to use your plugin with webpack and am using this way:

import Lethargy from 'lethargy/lethargy.min';

export default class Scrolljack {

    constructor(el) {
        this.el = $(el);
        this.lethargy = new Lethargy();
    }
    init() {
        console.log(this.lethargy);
    }
}

// main.js
import Scrolljack from 'scrolljack.js'
const scrolljack = new Scrolljack();
scrolljack.init();

But I am running into the following issue:

lethargy2.default is not a constructor

when I use require, I get the following:

Lethargy is not a constructor

Is there a preferred / suggested way of including into a project?