All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. References: https://security.snyk.io/vuln/SNYK-JS-DOJO-1535223 https://github.com/dojo/dojo/blob/4c39c14349408fc8274e19b399ffc660512ed07c/_base/lang.js#23L172
Created dojo tracking bugs for this issue: Affects: epel-all [bug 2035013]
RHEL 7 IPA is unaffected. While IPA does make use of Dojo, it is limited in its scope and does not use the affected setObject function. While it is possible to create a plugin / extension for ipa that could make use of the setObject function in dojo, this would require privileges that are already escalated to that of an ipa admin at minimum which would provide more control than exploitation of the flaw.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23450