Contrib.social

polyfill.io library is no longer considered safe to use

Open on Drupal.org →
Created on 24 June 2024, 5 months ago
Updated 2 July 2024, 5 months ago

Problem/Motivation

The polyfill.io library has been sold to a Chinese company named Funnull that is not considered trustworthy. We believe this poses a grave security threat and the library is now considered unsafe.

https://twitter.com/triblondon/status/1761852117579427975

There is also evidence https://github.com/polyfillpolyfill/polyfill-service/issues/2873#issueco... that polyfill.io is used to serve malicious code.

Proposed resolution

There are some mentions in the module about polyfill.io for example in https://git.drupalcode.org/project/dsfr/-/blob/2.1.x/dist/dsfr/dsfr.nomo.... It would be good to replace it with a safe option from Fastly or Cloudflare. These seem to be in some dist files which need to be checked.

https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-yo...

📌 Task
Status

Active

Version

2.1

Component

Code

Created by

🇫🇮Finland heikkiy Oulu

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @heikkiy
  • Comment 5 months ago
    🇺🇸United States greggles Denver, Colorado, USA

    I think this priority and issue tag makes sense.

    Since it's about a 3rd party library this can be fixed in public without a security advisory, but should ideally be addressed quickly with a code change and new release(s).

  • Comment 5 months ago
    🇺🇸United States greggles Denver, Colorado, USA

    This was originally "minor" since polyfill is just mentioned in comments, but it would be good to update/remove that even in a comment to avoid accidentally using the wrong cdn for the files.

  • Comment 5 months ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
  • Comment 5 months ago
    🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
  • First commit to issue fork.
  • Comment 5 months ago
    🇮🇳India abhiyanshu_rawat

    Hi @greggles,
    I installed the theme locally and didn't find any comments related to polyfill.io.
    However, polyfill-io is present only in the .js.map file, and the changes related to it are not in the base file of the map file.
    Please refer to the attached screenshot for more clarity.

    I believe we can ignore it or If you have any suggestions, please let us know so that we can proceed accordingly. Thanks.

  • Comment 5 months ago
    sali38

    Hello,
    thank you for all your feedback, we will correct this and update the theme with the new version of DSFR 1.12.1.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024