BDBA has started to detect CVE-2016-2542 in ISSetup.dll for packages that have being built in InstallShield 2020 and InstallShield 2022. It is not clear what the remediation is, as the packages never showed the vulnerability before (CVE is 7 years old). Taking a look at the Windows loads a different library or launches a different executable than was intended by the author article, the packages being created do not fall into any of the scenarios mentioned there. IMPORTANT: Setup launchers are not enabled for the ISM projects producing the packages.  

Basic MSI is being used, custom actions and Install script functions are also used (full paths to executables and Dlls are used.)

When I started to investigate, my suspicions were that all the packages that were using Install script functions and that were referred by Custom Actions were affected, nonetheless, this is not true. Only certain packages are affected. 

Can someone explain how ISSetup.dll is used by Install script in the context of Basic MSI projects and why not all of the projects that execute Install script functions ship the ISSetup.dll?

Also, how can I avoid shipping the ISSetup.dll or how can I mitigate the CVE in these versions of InstallShield?