I think it must've been a low level issue. I don't know the internals of Superfish, but maybe the scan couldn't find code to escape()-ing URLs for XSS attacks or something when generating the menu. Obviously Superfish cannot be the cause of SQL injections... it just sends you to other URLs.
On Jun 19, 8:10 am, aquaone <aqua...@gmail.com> wrote: > How is Javascript going to do a SQL injection ? > > On Fri, Jun 19, 2009 at 08:16, NationPress <i...@nationpress.com> wrote: > > > The client we're building a site for recently had a server wide scan > > done by SecurityMetrics.com for PCI compliance. This was required by > > their banks commercial credit card service. The report came back with > > a "Possible blind sql injection" vulnerability warning level 4 out of > > 7 for the Superfish menu javascript. Anything 4 and above keeps them > > out of compliance. This file is for the Superfish menu. Is there a > > workaround for this potential issue?