If this is a CVE, then arguably any method invocation on any function argument in any JavaScript library is a CVE, and we might as well throw the whole thing away. Is there a way to challenge this as not-a-CVE?
This CVE is a joke, there is no attack vector. If an attacker is able to create an object with an executable function in the scope claimed in the CVE, he may just run the malicious code himself.
