The information on the latest update
This article reports a High severity vulnerability (SC2020-003-435698) in Sitecore JSS React Sample Application, for which there is a fix available.
This vulnerability may cause page content intended for one user to be shown to another user.
We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all impacted Sitecore systems. We also recommend that customers maintain their environments on security-supported versions and apply all available security fixes without delay.
If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.
To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues: KB0608800
Versions affected
Vulnerability SC2020-003-435698 affects all versions of Sitecore JSS React Sample Application starting from JSS 11.0.0 and up to (and including) JSS 14.0.1.
Versions not affected
New versions of the JSS React Sample Application have been released for JSS which resolve the issue. However, as the issue is in sample code that is intended to be extended/customized, you will need to adapt the changes to your solution.
Fix Verification
As the fix for the issue is in sample code and not a Sitecore distributive, the recommended way to validate successful implementation of the fix is by ensuring that global variables or singletons are not used to store page state in your application’s server-side JavaScript code. Global variables would include any defined outside the context of a class or function (example). Singletons would include use of "export default new" (example).