Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js.
stealjs steal 2.2.4