SpinetiX-SA-21:01
From SpinetiX Support Wiki
This page relates to security advisories.
Deprecated HTML engine on HMP350, HMP300 and DiVA
Mitigation
Do not include any HTML layers in content that will be published on HMP300 and HMP350 players; where this is not possible only use HTML layers to display internal and secure company controlled websites with no loading of resources from public websites to minimize the attack risk.
Usage of HTML layers is always disabled on DiVA players, they are not active even if included in the content.
Details
The HTML engine installed on the HMP350, HMP300 and DiVA players, PhantomJS, is no longer an actively maintained project since 2018. It uses an old version of the Qt, QtWebKit and OpenSSL libraries, among others, which are no longer maintained and with no viable upgrade path available.
Given the above, SpinetiX cannot ensure that security vulnerabilities in those components are fixed and thus HTML layers using the PhantomJS engine remain vulnerable to various attacks. There are publicly known vulnerabilities with available exploits affecting the components used by PhantomJS and using it to display arbitrary content from websites is a high security risk. Using HTML layers to display internal and secure company controlled websites with a tightly controlled content authoring chain and no loading of external resources lowers the security risk by ensuring that no resources accessed by PhantomJS can be used as an attack vector.
Furthermore, PhantomJS lacks support for many modern web standards and thus most public sites fail to render properly.
As of firmware 4.7.1, the HTML engine on HMP350, HMP300 and DiVA is deprecated and may be removed in a future firmware version for these devices.
The upgrade path for use of HTML content is to use the more powerful HMP400 player where the HTML engine is based on Chromium and is fully supported.
Revisions
- June 2, 2021: Initial public release