Missing User Warnings
Medium
- Confidence
- 90% confidence
- Finding
- The documentation explicitly recommends configuring iconfont script URLs from iconfont.cn and supports online CDN loading, but it does not warn that this causes the application to execute remote JavaScript in the page context. If a script URL is compromised, replaced, or sourced from an untrusted project, it can lead to client-side script injection and full DOM/session compromise for users of applications following this guidance.
