Power Platform Community Forum Thread Details

Vulnerable Handlebars (v4.7.7) detected in Power Pages portal scripts

Description

We are seeing a vulnerability flagged during security scanning in a Power Pages portal.

Issue: Handlebars v4.7.7 (known security issues)
Source:
- https://content.powerapps.com/resource/powerappsportal/dist/postpreform.BootstrapV5.bundle-<hash>.js
This script is Microsoft-managed and not part of our custom code.

Concern

Since the dependency is coming from the portal runtime:

We cannot upgrade or override it
This is impacting our security compliance

Ask

Is this a known dependency in Power Pages?
Is it already mitigated or a false positive?
Any timeline or workaround to address this?

handlebars.png

Your file is currently under scan for potential threats. Please wait while we review it for any viruses or malicious content.

Categories:

Security

Power Apps portals

Hello SG-20050729-0,

Greetings!

Thanks for raising this question in the Q&A forum.

This is happening because Power Pages loads certain JavaScript libraries (like Handlebars v4.7.7) as part of its built-in portal runtime scripts managed entirely by Microsoft. Since these scripts are not part of your custom code, your security scanner is picking them up and flagging them as vulnerabilities, even though you have no direct control over them.

Here is what you can do about it:

First, confirm that the flagged script URL (postpreform.BootstrapV5.bundle.js) is indeed coming from content.powerapps.com and not from any custom code you have added to your portal. This helps clearly establish that it is a Microsoft-owned dependency.
Raise a support ticket directly with Microsoft through the Power Platform Admin Center. Mention the specific CVE numbers your scanner flagged, the script URL, and that this is a platform-managed file outside your control. Microsoft's engineering team can confirm whether this is already patched or being tracked.
While waiting for Microsoft's response, document this finding in your security compliance report as a third-party vendor managed dependency. Most compliance frameworks allow you to record a risk acceptance note for vulnerabilities that are outside your team's control, so this should help unblock your audit.
Keep an eye on the Power Pages release notes at learn.microsoft.com as Microsoft regularly updates platform dependencies. The fix may already be rolling out in a newer portal version.
You can also check if the specific vulnerable code path in Handlebars is actually reachable within your portal's usage. In many cases, scanners flag a library version without checking if the dangerous function is ever called, making it a false positive in practice.

If this answer helps you kindly accept the answer which will help others who have similar questions.

Best Regards,
Jerald Felix

Quick Links

Subscribe to this forum!