Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Polyfill.io vulnerability #2949

Open
billsanto opened this issue Aug 20, 2024 · 1 comment
Open

Polyfill.io vulnerability #2949

billsanto opened this issue Aug 20, 2024 · 1 comment

Comments

@billsanto
Copy link

Our security team detected the presence of polyfill in the application and it is rated as a high risk vulnerability. Is it possible to disable this, pending an update?

https://thehackernews.com/2024/06/over-110000-websites-affected-by.html

Invicti Enterprise identified the usage of Pollyfill in the target web server’s HTTP response.
Polyfill.io, a widely used JavaScript library, was compromised following its acquisition by Funnull, a China-based CDN company. Malicious code was injected into the library, redirecting users to harmful websites.
Impact
Affected Users:
Over 110,000 websites Nature of Malicious Activity:
Redirecting users to sports betting and pornographic sites. Specific activation on certain mobile devices at particular times. Delayed execution to evade web analytics detection. Avoidance of activation when an admin user is detected.

@chrisknoll
Copy link
Collaborator

I would be fine with this. There was an idea to apply babel to our build pipeline, but I think it can bloat our code by introducing polyfills that are not necessary in modern browsers.

We need someone familiar with the build chain to extract babel/polyfil from the build chain.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants