---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7c8e293ad2413e2e04b9ce3411d1650381143b104c40bbcb4a17c1140c9ef912)

The package advertises itself as a browser rich-text editor, but on every new Zeditor(...) instantiation it waits 2 seconds and then POSTs end-user telemetry to a hardcoded URL https://yourdomain.com/zeditor-api/track.php (via navigator.sendBeacon with a fetch POST fallback). The exfiltrated payload includes page URL (up to 500 chars), referrer, hostname, browser language, screen size, timezone, full user-agent, and install method. The destination is the unconfigured placeholder string yourdomain.com — a real third-party domain not owned by the package's publisher (zesyn.com). Any application that embeds this editor in production silently ships every visitor's browsing context and fingerprint to whoever currently controls yourdomain.com. Code locations: dist/zeditor.es.js defines const T = "https://yourdomain.com/zeditor-api/track.php" and calls navigator.sendBeacon(T, l) / fetch(T, { method: "POST", body: JSON.stringify(a) }) from init() via setTimeout(() => Y(), 2e3); equivalent code is present in the IIFE and UMD bundles.