Contrib.social

polyfill.io Library is no longer considered safe to use

Open on Drupal.org →
Created on 24 June 2024, 4 days ago
Updated 25 June 2024, 3 days ago

Problem/Motivation

The polyfill.io library has been sold to a chinese company named Funnull that is not considered trustworthy. We believe this poses a grave security threat and the library is now considered unsafe.

https://twitter.com/triblondon/status/1761852117579427975

There is also evidence https://github.com/polyfillpolyfill/polyfill-service/issues/2873#issueco... that polyfill.io is used to serve malicious code.

Proposed resolution

Polyfill.io is mentioned in the project README: https://git.drupalcode.org/project/webform_prefill/-/blob/7.x-1.x/README.... It would be good to replace it with a safe option from Fastly or Cloudflare.

https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-yo...

📌 Task
Status

Fixed

Version

1.2

Component

Documentation

Created by

🇫🇮Finland HeikkiY Oulu

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @HeikkiY
  • Comment 4 days ago
    🇺🇸United States greggles Denver, Colorado, USA

    I think this priority and issue tag makes sense.

    Since it's about a 3rd party library this can be fixed in public without a security advisory, but should ideally be addressed quickly with a code change and new release(s).

  • Status changed to Fixed 4 days ago
  • Comment 4 days ago
    🇦🇹Austria torotil

    While it’s technically true that the README mentioned polyfill.io as as an example, it’s a bit strange for me to consider that a security issue.

    However I’ve removed it from the README and tagged a new 7.x-1.3 (bugfix) release for this. I also removed the same sentence in the project description.

  • Comment 3 days ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺

    Thank you @torotil - it's only a Security issue in that the trustworthiness of the original 3rd party service has been questioned, so it's probably best not to provide that specifically as an example any more. Appreciate your swift action.

  • Comment 3 days ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
  • Comment 3 days ago
    🇺🇸United States greggles Denver, Colorado, USA

    Thanks for the quick fix. I agree this instance isn't as critical given it was in the documentation.

    FWIW, I noticed that 7.x-1.x doesn't have the fix in it just yet. Maybe that branch hasn't been merged or hasn't been pushed?

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024