Is this just a known false-positive issue?
Its not a "known" false positive but its almost certainly a false positive.
Sounds like a false positive, certainly ogv.js is not an exploit. :) Should report upstream to cpanel or clamav or whatever is doing the scanning?
I've submitted them upstream to clamav for false positive checking.
Having T165019 in mind I'd say it's another false positive...
I'm going to resolve this bug. There's literally nothing we can do here.