JW Player Vulnerability

There has been some talk about cross scripting vulnerabilities in the JW Player recently. PoodLL since around April has shipped with the JW Player as an option. We added it because the audio/video players we used at the time did not work well with screen readers.

Almost nobody uses the JW Player with PoodLL, so we will be removing it from PoodLL, and site admins should delete the JW Player from existing PoodLL installations. Even if you don’t use it, please delete it.

The JW player is located at [PATH TO MOODLE]/filter/poodll/jwplayer59 . You should delete the entire jwplayer59 folder since we won’t need it anymore.

Probably some of you are wondering what “cross site scripting” is and how dangerous it is. It is explained in some detail in this wikipedia article. Briefly however, it means that an attacker could sneak their javascript into your users’ browsers, when they are on your site. How dangerous it is, really depends on how sensitive/desirable the data on your site is, and how easy it is for an attacker to plant crafty urls on your site, or in emails to your users.

Note that the JW Player is one of the most common flash audio/video players on the internet and this is not a vulnerability specific to PoodLL, or even to all versions of the JW player. But nobody wants a potential security problem on their site, so lets just remove the JW player and get on with educating. If you have any questions or concerns about it, please contact me directly via the form on the contact page .