[yodon]

The charting vulnerability discussed in the article and found to be introducing vulnerabilities in 90 crypto coin sites remains 100% effective if you never eval server side and only serve bundles from your own domain with appropriate content security policy. Worse, now that the bug has been fixed in the vendor's distribution, your customers would still be at risk if you were self hosting the old files. There are no simple solutions to securing large complex systems. It's simply hard and takes lots of work, and you will almost certainly still be vulnerable in the end. That's why physical locks are rated in terms of time for attackers to open not inability of attackers to open.