polyfill.io Library is no longer considered safe to use

I think this priority and issue tag makes sense.

Since it's about a 3rd party library this can be fixed in public without a security advisory, but should ideally be addressed quickly with a code change and new release(s).

The webform module has the exact same issue 🐛 polyfill.io Library is no longer considered safe to use Fixed . They're solving it by replacing the suspicious url.

Here's a patch.

This looks good to me.

aaron.ferris → made their first commit to this issue’s fork.

Sorry didn't see the patch on this, raised an MR anyway.

Apologies - I didn't mean to hide the patch in #3 - I was just adding some tags to try to link related issues together.

Reuploading the patch, in case anyone needs it. It seems #3 was deleted by mistake. :)

There's a proposed change as an MR here so status should be Needs Review.

I'm marking this as RTBC. It is the most simple fix that resolves the current security issue with no other impacts.

That said, I think a better fix would be to totally remove the external library for a few reasons:

• External code is bad(tm)
• But yes, seriously, code from any third party that is only accessed at runtime is unpredictable, reduces testability and security
• The only use that Geofield Map is using polyfill for is IntersectionObserver. the availability of that is over 96% - https://caniuse.com/?search=IntersectionObserver

So yes, fastly is as far as trusted sources, pretty high. But, will they long term keep that domain? if they don't, will it be just a dead link? or will another hostile actor take control of it? With pretty much negligible benefit I think it would be better to remove but that could be a breaking change so I could see that as a follow-up depending on maintainer decisions.

I like the idea of committing this as-is, making a release, and moving to a removal as a followup task that can get more testing and upgrade notes before it gets released.

I agree with #14. There are valid points in #13, but considering this is a security issue, I think for now it's best to limit the scope (and time needed) and simply replace the malicious/untrustworthy url.

Removing the polyfill library altogether warrants a separate issue IMO.

Agreed with the above, fix the pressing issue at hand then a task in the backlog to remove said library.

+1 for moving the removal of the library to a followup!

Thanks a lot @here!
I merged the MR !16 and I am going to deploy a new Geofield Map 3.0.16 release with this, that exactly match the corresponding fix already happened on the the Drupal Leaflet module, some weeks ago ( https://www.drupal.org/project/leaflet/issues/3426106 📌 Polyfill.io is no longer considered safe and should be removed Fixed ).

Feel free to open a follow-up Feature Request if we would really better embed the whole polyfill.js library (https://polyfill-fastly.io/v3/polyfill.min.js?features=IntersectionObserver) in the Geofield Map module itself, and make everything more safe & solid.

Hi folks @here!

According to the all above discussion and worth inputs, and to the fact that the IntersectionObserver polyfill library is only loaded in case of Geofield Map Lazy Loading, and effectively used in case of very old Browsers (that natively don't support the IntersectionObserver API),
I decided to local embed the remote/External IntersectionObserver polyfill library into the Leaflet module,
so to avoid any future security and reliability issue related to Polyfill.io js library.

The new just deployed geofield_map 3.0.17 release → is indeed embedding the remote/External IntersectionObserver polyfill library into the Leaflet module itself.

Hopeful and confident that this makes a lot of sense (and improves/fixes module security issues on all of this)
Please feel free to open a new follow-up issue for any new issues related to any of this ...

"the fact that the IntersectionObserver polyfill library is only loaded in case of Geofield Map Lazy Loading" This is unfortunately not correct, as the polyfill is currently always loaded because of how the settings are checked before including the library. Opening an issue here on this. #3458531

thanks @yareckon ...
New geofield_map 3.0.18 → fixes that.

Thank you @itamair for the new release(s)!

P.S. Would you mind granting credits to those who contributed to solving this issue? Thank you!

@tinto proper credits were already provided into this commit message.

@itamair I don't want to interfere in your issue queue, but I'd vote for you to get issue credit on this, and other issues where you've done some great work addressing this incident.

Either way, thank you!

@itamair Maybe I'm confused, but the commit you linked adds the (most likely) malicious library back into the module (https://github.com/polyfillpolyfill/polyfill-service/). Why did you decide to not use Fastly in this case? We are attempting to get rid of all the references to polyfill.io out of our sites' codebases.

thanks @choicelildice ... but don't worry, I made sure that
this embedded (and frozen) /js/polyfill/polifillIntersectionObserver.min.js file is the minified matching the one provided with Fastly.io: https://polyfill-fastly.io/v3/polyfill.min.js?features=IntersectionObserver

I added a latest commit that makes all this more clear: https://git.drupalcode.org/project/geofield_map/-/commit/8d4d20ecd286a0a...

If you are able to test with IE 11 you also will evidence of that.

Ok ... totally done (and kind of fed-up) of this polyfill.io library drama,
I deployed a new Geofield Map 3.0.19 version → that
removes injection of polyfill/IntersectionObserver js library all the way, for backward support to very old browsers
and adds IntersectionObserver Browser Compatibility check disclaimer in the View and Formatter settings (https://git.drupalcode.org/project/geofield_map/-/commit/d82a7e6ee55132f...)

because polyfill/intersectionObserver js (polyfill.io) library:
polyfill/intersectionObserver js (polyfill.io) library is only needed with very old browsers versions (and its effectiveness is not really proven);
Geofield Map Lazy Load is going to fallback to normal Geofield Map load, if the browser don't support the 'IntersectionObserver' API/object;
polyfill/intersectionObserver js (polyfill.io) library is no longer considered safe to use (@see https://www.drupal.org/project/geofield_map/issues/3456704 📌 polyfill.io Library is no longer considered safe to use Fixed ) and https://github.com/polyfillpolyfill/polyfill-service/issues/2892)

Issue (double) closed!

Automatically closed - issue fixed for 2 weeks with no activity.