avonville
commented
4 months ago Hello,
Thank you for reaching out we have updated the plugin to use Cloudflare instead of Polyfill.io directly in our most recent update. If you haven't already please update the plugin through your installed plugins on your site.
Replace https://cdn.polyfill.io/v2/polyfill.min.js with https://cdnjs.cloudflare.com/polyfill/v2/polyfill.min.js since cdn.polyfill is a security vulnerability
"Polyfill.js is a popular Javascript library to support older browser versions. The framework allows developers to use Javascript APIs regardless of whether a browser supports it. It first checks if the browser supports the API in question. If so, it uses the browser’s API. If not, it uses its own implementation. Thanks to its utility, more than 100,000 sites use this library, usually as an npm package dependency. In February this year, a Chinese company purchased the Github repository and the polyfill.io website, and has made changes that started to inject malware into sites. The scale of the malware attack became major news this week. The issue was not within the library code, but rather that the malware was injected into sites that used the domain cdn.polyfill.io – also controlled by this Chinese company. Cloudflare has warned customers since February about a supply-chain risk coming from using cdn.polyfill.io, and has started to host the polyfill.js library on its more trustworthy cdnjs service. This is a reminder that open source libraries are increasingly tempting attack vectors for bad actors. It turns out Cloudflare was right to warn not to trust cdn.polyfill.io after the ownership change. Anything hosted on someone else’s CDN domain is susceptible to such an attack – the only difference is that reputable CDN providers like Cloudflare, Akamai, Fastly and others have a vested business interest in keeping their services malware-free. Just three months ago, in March, we saw the XZ Utils backdoor attack, which was a much more sophisticated attempt to introduce a malicious backdoor into all Linux distributions. If successful, the implications of that hack would have been devastating. Luckily, a vigilant security engineer – Andres Freund – caught the issue, after noticing SSH connections taking a strangely high amount of CPU usage. Without Andres spotting the issue, this could have well become the most impactful backdoor deployed, globally. The Polyfill.js incident is also a reminder to use as few dependencies as possible, because each one opens attack vectors if an open source project is sold off, or a bad actor infiltrates it. If you are using Polyfill, the newly created website “Polykill” (nice pun) offers advice on how to replace it with a secure version. And a high-five to Cloudflare for flagging this issue right when it started. It seems that Cloudflare is stepping in as the security team for Okta, but for the wider web as well."