Open strongishllama opened 5 days ago
FYI @adam-buckley @chris-bateman @careck
Thanks @strongishllama for bringing this up!
We might just simply remove the polyfill, it's only for a very small subset of browsers at this point and it's only for the admin interface so I can't see it being an issue if it's gone.
The domain itself has been taken down so the urgency is mostly gone but it'll still be a good idea to remove the domain.
That whole template can be deleted, it's used in only one place in the CRM and that can go as well
it's used in only one place in the CRM and that can go as well
You're referring to the Timewizard action of the CRM module, yes? Are you saying the action itself should be removed alongside the layout-f6
template file?
@adam-buckley ping
it's used in only one place in the CRM and that can go as well
You're referring to the Timewizard action of the CRM module, yes? Are you saying the action itself should be removed alongside the
layout-f6
template file?
Yeah both can go 🙂
The layout-f6 template is using the malicious polyfill dot io domain.
https://github.com/2pisoftware/cmfive-core/blob/9a9ca769d26285c17a899356b6f445ac0f2304d9/system/templates/layout-f6.tpl.php#L12
This domain is being used to inject malware into client machines, see https://sansec.io/research/polyfill-supply-chain-attack and https://youtu.be/ILvNG1STUZU?si=ob6wK1IiAaXIUBwW for more info.
Cloudflare has a safe implementation available at
https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js
, see https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk for more info.I searched the git history, this is the first commit it was added https://github.com/2pisoftware/cmfive-core/commit/eb44a6a687c7160820e94d8aac89e6d777f49df1 and it hasn't been used anywhere else in the codebase.