We are using following script tag for ViewerSDK in index.html file of our application:
<script type='text/javascript' src='https://documentservices.adobe.com/view-sdk/viewer.js'></script>
But there has been a security risk found at this line with following details:
Description: Javascript files can be imported dynamically from remote hosts when they are embedded into HTML. However, this reliance on a remote host for these scripts may diminish security, as web-application's users are only ever as secure as the remote host serving these Javascript files.
Impact: An externally imported Javascript file may leave users vulnerable to attack - if the Javascript's host is compromised, if communications with the host are intercepted or if the host itself is not trustworthy, then the contents of the Javascript file may change to have malicious code, which could result in a Cross-Site Scripting (XSS) attack.
Remediation Recommendation: Where possible, host all script files locally, rather than remotely. Ensure that locally hosted 3rd party script files are constantly updated and maintained.
Is there a way where I can download and keep the concerned SDK in my local and host it locally?
We need to fix this security vulnerability.