On 27th of September, a critical flaw was discovered in ZeroNet's iframe sandbox by Git Center, ZeroLSTN, and Krixano. It is currently believed to be actively exploited, and thus all users are encouraged to update to the latest version of ZeroNet right away.
If you received an alert about new update, is because of it. I already figure out how this can be exploited, but I can't share the details. You are in risk, both if you don't update your client, and if you update via the ZeroHello/ZeroUpdate.
I advice to all users, doesn't update from ZeroHello. Download from GitHub and add to /core folder. Also clone the repo into the /core folder, so you can analyze what are the files changed.
Detailed info and POC of the "Vacation" sandbox escape bug that was discovered by GitCenter / Krixano / ZeroLSTN 3 weeks ago (fixed in Rev3616+)
This repository is the clearnet mirror of http://127.0.0.1:43110/1HcLPSR5ss1ehsqP8kU2Sa2TJyDVcGADTp
Discussion at http://127.0.0.1:43110/Talk.ZeroNetwork.bit/?Topic:1540051200_1Cy3ntkN2GN9MH6EaW6eHpi4YoRS2nK5Di