registry  /  @wix/editor-react-components  /  1.2315.0

@wix/editor-react-components@1.2315.0

React components for the Wix Editor

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime networking is limited to package-aligned browser asset/media functionality, and no install-time execution exists.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Rendering components that load remote icons, media, maps, or animation content.
Impact
No credential theft, persistence, foreign control-surface mutation, or destructive action established.
Mechanism
Browser UI rendering and package-aligned asset fetching.
Rationale
Source inspection supports a browser React component package with no lifecycle hooks or host-side attack primitives. Scanner hits resolve to normal Wix asset loading, bundled Lottie expression support, and intentional bidi string data rather than a concrete malicious chain.
Evidence
package.jsondist/site/components/TextInput/component.jsdist/site/components/Lottie/component.jsdist/site/components/chunks/Tooltip.jsREADME.md
Network endpoints3
static.parastorage.com/services/wix-ui-icons-common/dist/icons/static.wixstatic.com/maps.googleapis.com/maps/api/js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, bin, or Node entrypoint.
    • Published files are browser-oriented Wix React component bundles under dist/site.
    • TextInput fetches versioned icon JSON only from Wix static.parastorage.com during icon rendering.
    • Lottie eval is the bundled animation-expression engine, gated by runExpressions; no exfiltration or persistence chain found.
    • Tooltip.js bidi controls are explicit Unicode isolate characters used as string data, not hidden source syntax.
    • No child-process, filesystem-write, credential-harvesting, agent-control, or destructive APIs found in dist.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsEvalNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 311 file(s), 6.08 MB of source, external domains: aomedia.org, api.whatsapp.com, base-ui.com, editor.wix.com, facebook.com, fb.me, files.wix.com, github.com, maps.googleapis.com, pinterest.com, static.filesuser.com, static.parastorage.com, static.wixstatic.com, twitter.com, video.wixstatic.com, vimeo.com, visgl.github.io, www.facebook.com, www.google.com, www.instagram.com, www.linkedin.com, www.snapchat.com, www.tiktok.com, www.w3.org, www.wix.com, www.youtube.com

    Source & flagged code

    3 flagged · loading source
    dist/site/components/Lottie/component.jsView file
    13712var scoped_bm_rt; L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0]; L13714: var numKeys = property.kf ? data.k.length : 0;
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/site/components/Lottie/component.jsView on unpkg · L13712
    dist/site/components/chunks/Tooltip.jsView file
    7191contains invisible/control Unicode U+2066 (left-to-right isolate) text: "<U+2066>",
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/site/components/chunks/Tooltip.jsView on unpkg · L7191
    dist/site/components/chunks/constants3.jsView file
    61patternName = generic_password severity = medium line = 61 matchedText = password...rd",
    Medium
    Secret Pattern

    Hardcoded password in dist/site/components/chunks/constants3.js

    dist/site/components/chunks/constants3.jsView on unpkg · L61

    Findings

    1 Critical4 Medium4 Low
    CriticalTrojan Source Unicodedist/site/components/chunks/Tooltip.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    MediumSecret Patterndist/site/components/chunks/constants3.js
    LowScripts Present
    LowEvaldist/site/components/Lottie/component.js
    LowHigh Entropy Strings
    LowUrl Strings