Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Same as bug #2432957. Such kinds of issues are not exploitable in Cockpit due to its structure. Cockpit's web server is an isolated world, it only knows about cockpit on one server, and can't go anywhere else. The entire JS is loaded from the target machine, so that already has full control over what happens – if an attacker has that amount of control over a target machine, they can serve literally anything as cockpit page which the browser will happily run. You don't need a vulnerability for that, just put your exploit into the overview page or anywhere else. This applies to an even higher degree to situations like Anaconda, where you have to trust the installer environment and hardware by definition. On top of that, the affected code is not even contained in the bundle, I checked with grep -Er '_omit|_unset' dist/ in a development build. Due to tree-shaking, only the parts of lodash that the PatternFly react-table project actually uses are present in the bundle.