Potential prototype-pollution utility in bundled JS extend helper

[jpksh90]

Summary

CodeQL flagged a potential prototype-pollution utility in the JavaScript bundle shipped with the F-Droid build com.app.openlib_14.

Affected code

In the extracted JS bundle, the helper below copies arbitrary property names from props into obj without filtering dangerous keys such as __proto__, prototype, or constructor:

util.extend = extend = function(obj, props, deep) {
    var o, p;
    for (var i in props) {
        if (props.hasOwnProperty(i)) {
            o = obj[i];
            p = props[i];
            if (deep && o !== null && typeof o == "object" && p !== null && typeof p == "object") {
                extend(o, p, true);
            }
            obj[i] = p;
        }
    }
}

MifDroid/CodeQL location from the analyzed F-Droid artifact:

• file: com.app.openlib_14.js
• line: 1347
• rule: js/prototype-pollution-utility

Why this matters

If attacker-controlled input can reach util.extend, assigning a key like __proto__ can mutate the prototype chain and cause unexpected property injection in other objects.

Suggested fix

Before copying a property, reject dangerous keys such as:

• __proto__
• prototype
• constructor

and ideally avoid recursive merge/write helpers on untrusted objects unless the keys are explicitly allowlisted.

Notes

This report comes from CodeQL analysis over the JavaScript extracted from the published Android app build, so the flagged code is definitely present in the shipped artifact even if it originates from a bundled dependency.