What HubSpot Users Need to Know

As your digital partner and a HubSpot partner agency, MINDSCAPE is committed to keeping our clients informed and secure. Recently, a security vulnerability was identified in the Lottie Player JavaScript library, affecting websites that utilize this tool to bring animations to life. Here’s a full breakdown of what happened, why Lottie Player is trusted across the industry, how the issue was resolved quickly, and what actions we recommend for you.

What Is Lottie Player?

For those new to Lottie Player, this is a highly valued JavaScript library used to bring complex animations, often crafted in Adobe After Effects, to web pages and mobile applications. With Lottie, designers can create visually engaging animations that can be easily implemented without slowing down websites or requiring extensive development time. These animations are commonly used in websites, mobile applications, and digital interfaces where adding engaging visuals can make the experience more interactive and memorable.

Lottie Player has become the go-to for animation because it’s lightweight, fast, and works across different devices seamlessly. For many businesses, including those on HubSpot’s platform, Lottie Player has been a key player in adding that extra visual polish to their user interfaces.

A Quick Overview of the Incident

On October 30, 2024, around 6:45 pm ET, HubSpot received reports of unusual behavior on websites using certain versions of Lottie Player. This turned out to be the result of a security vulnerability within the library. Users encountered an unintended pop-up message urging them to “Connect Wallet” or “Get a Wallet,” indicating that the player’s security had been compromised. This issue primarily impacted customers who directly embedded Lottie Player into their HubSpot site or used a HubSpot Marketplace template that included Lottie Player.

The vulnerability appeared in versions 2.0.5, 2.0.6, and 2.0.7 of Lottie Player. However, the good news is that a fix was implemented promptly, with version 2.0.8 addressing the security issue by 7:30 pm ET that same day.

Immediate Action and a Rapid Response from the Developers

In situations like this, response time is everything. We’d like to extend our appreciation to the developers of Lottie Player for their swift action and communication. They immediately assessed the vulnerability, isolated the affected code, and rolled out a secure update within less than an hour of identifying the issue. Their commitment to maintaining a secure and reliable animation library was evident in how they managed this incident with transparency and efficiency.

Thanks to their quick response, the impact of this incident was minimized, and users were able to update to the secure version, 2.0.8, almost immediately. MINDSCAPE applauds Lottie Player’s development team for their commitment to quality and customer security.

HubSpot’s Trust Center and Commitment to Security

As a HubSpot partner agency, we want to highlight the role of HubSpot’s Trust Center in ensuring the security and reliability of every integration on their platform. The HubSpot Trust Center provides clients with insights into how HubSpot secures data, monitors for vulnerabilities, and responds to incidents. With built-in security protocols and a culture of proactive monitoring, HubSpot consistently demonstrates its commitment to protecting its users.

HubSpot’s proactive notification process also ensured that affected customers were quickly informed and guided on any necessary actions, reinforcing the platform’s transparency and reliability in response to such incidents. The Trust Center is available to all HubSpot users and is a valuable resource for understanding HubSpot’s ongoing commitment to platform security.

What Actions Do We Recommend?

To ensure your website’s security and avoid any vulnerabilities, we recommend taking the following steps:

  1. Verify the Latest Lottie Player Version: Make sure you’re using Lottie Player version 2.0.8 or later. This version is safe and no longer contains the vulnerability identified in earlier releases.
  2. Update or Remove Templates if Needed: If your website uses HubSpot templates that include Lottie Player, consider updating or replacing them with alternatives if you’re looking to avoid additional updates. The MINDSCAPE team can help you find or create new modules if needed.
  3. Discuss with Your IT or Security Team: It’s always best practice to review security measures with your IT team, especially for any integrations or third-party tools like Lottie Player. They can help verify that everything is up to date and aligned with your organization’s security standards.

Why Lottie Player Remains a Trusted Tool

Despite this incident, Lottie Player remains a highly trusted tool in the web and app development industry, praised for its simplicity, versatility, and efficiency. Incidents like these can happen even with the best tools on the market, and the key takeaway is often how developers handle the situation. In this case, Lottie Player’s developers acted swiftly to address the issue, showing that they take security and customer trust seriously.

The benefits of Lottie Player’s animation capabilities—from lightweight, fast-loading visuals to easy integration across platforms—make it a fantastic option for any brand looking to enhance their digital presence. We continue to stand by Lottie Player as a secure, reliable choice for adding animation to websites and applications.

MINDSCAPE is Here to Support You

Security is our top priority, and we’re here to support you through any concerns or adjustments you may need to make to your site. If you’d like to discuss this incident in further detail or need help updating templates or verifying security, please don’t hesitate to reach out. Our team is ready to provide guidance and reassurance.

Thank you for your trust in MINDSCAPE. Rest assured, we’re always working to ensure your digital experience is as safe, secure, and engaging as possible.