Affects Version/s: 7.1.10 DXP GA1
Fix Version/s: None
Component/s: App Management
When I navigate to Marketplace on a demo installation on localhost, I'm getting the MP content from liferay.com - including the script code included on there. So far, this is expected.
However, it seems that due to SPA, their code stays active once I navigate away from Marketplace. My scripting plugins still show both decibelinsight and newrelic code present and blocked/blockable until I reload the full page - just navigating isn't enough.
Due to the nature of decibelinsight and newrelic (as far as I understand their business) they might collect information about the sites that their scripts are running on, which is probably unexpected and might pose a legal risk.
I'm assuming that this will also happen on Intranet sites, behind Firewalls - be it production, development, or test instances.
I couldn't find a SPA component here, assuming that this is SPA related and not sure if I should file a security/information disclosure issue, or if there's a better explanation for it.
And answer that these scripts currently don't collect any data from localhost is not sufficient, as they're fetched from the internet and might change any time.