Comment 20 for bug 1157732

NAK. I stopped the security audit as soon as I saw that qtjsbackend-opensource-src contains an embedded copy of the Google V8 Javascript engine (ie, libv8). The version that is embedded is 3.11.4 from last May. libv8 in the archive already has no one maintaining it and its older than what's in qtjsbackend-opensource-src, so switching to it wouldn't help (it has 13 open CVEs against it). There are currently 5 open CVEs against the version that is in qtjsbackend-opensource-src right now:
 CVE-2012-5120
 CVE-2012-5128
 CVE-2012-5153
 CVE-2013-0836
 CVE-2013-2632

Furthermore, qtjsbackend-opensource-src's own README file has instructions on updating the embedded v8: "In the likely case of conflicts, follow the git instructions about continuing the patch application process after resolving the conflicts." This probably explains why libv8 hasn't been updated upstream. I also looked at fixes and they will require significant backporting.

Between the 5 open CVEs in qtjsbackend-opensource-src now, upstream's reluctance to keep it up to date, a lack of a suitable in archive alternative in libv8, the complexity of maintaining a Javascript engine without upstream support, and its security history, I believe qtjsbackend-opensource-src is unsupportable currently.