Description-Behavior Mismatch
Medium
- Confidence
- 89% confidence
- Finding
- The script injects a remote Mermaid CDN script into generated HTML, causing preview/build output to execute third-party JavaScript at render time. This expands the trust boundary and creates supply-chain and privacy risk: opening the generated HTML or rendering it in Puppeteer may fetch and run code from an external host not disclosed by the manifest.
