In a blog post, Yahoo has said there is a security vulnerability in its JavaScript framework YUI version 2. It does not, though, give a detailed description of the bug. The issue only, now, relates to any project where the developers have hosted their own version of the YUI 2 SWF files (from version 2.4.0 to 2.9.0). Those who have used Yahoo's yui.yahooapis.com CDN or another CDN for YUI 2 or use YUI 3 are not affected by the issue said Yahoo.

The only information in the post is a connection with "SWF"; this could therefore be something in connection with the presence of the class SWFStore which supports the persistence of data using the Flash Player. The affected version of the framework has, though, been superseded by YUI 3 since 2009; YUI 3 does not include SWFStore.

The Yahoo developers ask affected user to contact them via email to security@yuilibrary.com for further information and support.

(djwm)