polyfill.io library is no longer considered safe to use

Open on Drupal.org →

Created on 24 June 2024, 4 days ago

Updated 26 June 2024, 2 days ago

Problem/Motivation

The polyfill.io library has been sold to a Chinese company named Funnull that is not considered trustworthy. We believe this poses a grave security threat and the library is now considered unsafe.

https://twitter.com/triblondon/status/1761852117579427975

There is also evidence https://github.com/polyfillpolyfill/polyfill-service/issues/2873#issueco... that polyfill.io is used to serve malicious code.

Proposed resolution

There are some mentions in the project code comments to polyfill.io which could be replaced with a safe option from Fastly or Cloudflare.

https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-yo...

📌 Task

Status

Version

1.0

Component

Code

Created by

🇫🇮Finland HeikkiY Oulu

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

polyfill.io

Sign in to follow issues

Merge Requests

!6polyfill.io library is no longer considered safe to use
Merged
🇮🇳India abhiyanshu_rawat
updated 2 days ago

Comments & Activities

Issue created by @HeikkiY
Comment 4 days ago →
🇺🇸United States greggles Denver, Colorado, USA
I think this priority and issue tag makes sense.

Since it's about a 3rd party library this can be fixed in public without a security advisory, but should ideally be addressed quickly with a code change and new release(s).
Assigned to webfaqtory
Comment 4 days ago →
🇬🇧United Kingdom webfaqtory
Comment 3 days ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
First commit to issue fork.
Comment 3 days ago →
🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Merge request !6Updated the comments with the fastly.io → (Merged) created by abhiyanshu_rawat
Comment 3 days ago →
🇮🇳India abhiyanshu_rawat
I have updated all the comments with polyfill-fastly.io to avoid accidentally using the wrong CDN for the files. Thanks.
Status changed to Needs review 3 days ago6:02pm 25 June 2024
Comment 3 days ago →
🇺🇸United States greggles Denver, Colorado, USA
Adjusting status as the MR needs review.

It generally looks good to me. Thanks.
Status changed to RTBC 2 days ago12:17pm 26 June 2024
Comment 2 days ago →
🇬🇧United Kingdom webfaqtory

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024