Comment 7 for bug 1940450

Yes, that's a dependency of Horizon in an entirely different repository. It can be found at https://opendev.org/openstack/xstatic-bootstrap-scss/src/branch/master/xstatic/pkg/bootstrap_scss/data/js/bootstrap/tooltip.js but was updated to 3.4.1 over a year ago when https://review.opendev.org/710865 merged (2020-03-19). The fixed version is used by Horizon in the Ussuri release, which is at this point the oldest maintained upstream branch anyway. So if I understand what you're saying, this has been fixed so far back that we wouldn't generally consider issuing a public advisory about it (not to mention we don't typically issue advisories for dependencies, on the assumption they have their own security publication process anyway).

You may want to check with the Ubuntu/UCA package maintainers and see if they want to backport a fix from newer Bootstrap versions to the Queens release of Horizon they seem to be distributing for Bionic. I'll mark this bug invalid for our security advisory task and upstream Horizon, and see if I can find the correct Ubuntu package to mark affected. Thanks for the hint!