We need to remove QtWebKit from the distro. The upstream project says this when you go to their download page:
------ WARNING: This release is based on old WebKit revision with known unpatched vulnerabilities. Please use it carefully and avoid visiting untrusted websites and using it for transmission of sensitive data. Please wait for new release from qtwebkit-dev branch to use it with untrusted content. ------ And a bit of discussion from the oss-sec mailing list [0], quoting here: ------ QtWebKit was a rendering engine for web content released with Qt until 5.6. It was replaced with QtWebEngine after that. Despite a community fork in 2016, nothing really happened to keep it alive and secure. ------ And: ------ Readers of this list will likely be familiar with the regular postings regarding WebKitGTK vulnerabilities: many of them are likely applicable to QtWebKit too, especially the WebKitGTK-based fork ------ So, the dozens (hundreds?) of notable security bugs fixed in WebKitGTK are totally unfixed in QtWebKit. Many of these bugs are considered "arbitrary code execution" bugs. And the broader context is that there won't be a future for this package, as Qt has abandoned WebKit in favor of Chromium. This package will not improve. If people want to keep using QtWebKit, they can maintain it in a channel. [0] https://seclists.org/oss-sec/2021/q3/66