The layout-f6 template is using the malicious polyfill dot io domain

[strongishllama]

The layout-f6 template is using the malicious polyfill dot io domain.

https://github.com/2pisoftware/cmfive-core/blob/9a9ca769d26285c17a899356b6f445ac0f2304d9/system/templates/layout-f6.tpl.php#L12

This domain is being used to inject malware into client machines, see https://sansec.io/research/polyfill-supply-chain-attack and https://youtu.be/ILvNG1STUZU?si=ob6wK1IiAaXIUBwW for more info.

Cloudflare has a safe implementation available at https://cdnjs.cloudflare.com/polyfill/v3/polyfill.min.js, see https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk for more info.

I searched the git history, this is the first commit it was added https://github.com/2pisoftware/cmfive-core/commit/eb44a6a687c7160820e94d8aac89e6d777f49df1 and it hasn't been used anywhere else in the codebase.

[strongishllama]

FYI @adam-buckley @chris-bateman @careck

[careck]

Thanks @strongishllama for bringing this up!

We might just simply remove the polyfill, it's only for a very small subset of browsers at this point and it's only for the admin interface so I can't see it being an issue if it's gone.

The domain itself has been taken down so the urgency is mostly gone but it'll still be a good idea to remove the domain.

[adam-buckley]

That whole template can be deleted, it's used in only one place in the CRM and that can go as well

[dragonflyfree]

it's used in only one place in the CRM and that can go as well

You're referring to the Timewizard action of the CRM module, yes? Are you saying the action itself should be removed alongside the layout-f6 template file?

[chris-bateman]

@adam-buckley ping

[adam-buckley]

it's used in only one place in the CRM and that can go as well

You're referring to the Timewizard action of the CRM module, yes? Are you saying the action itself should be removed alongside the layout-f6 template file?

Yeah both can go 🙂