Remove malicious polyfill.io usage

Choices-js / Choices

A vanilla JS customisable select box/text input plugin ⚡️

https://choices-js.github.io/Choices/

MIT License

6.05k stars 597 forks source link

Remove malicious polyfill.io usage #1161

Open alanhamlett opened 1 week ago

alanhamlett commented 1 week ago

Polyfill.io is redirecting to malicious websites. This PR removes the optional and unnecessary polyfill.io usage.

hotwebmatter commented 1 week ago

I'm not a maintainer, but this looks good to me.

Merging this would also resolve https://github.com/Choices-js/Choices/pull/1162

There's some urgency here; without this patch, the Choices-js library functions as a vector for malware. 👾

mbomb007 commented 1 week ago

I will also note that the website linked on the repo, choices-js[dot]github[dot]io/Choices/ contains the malicious CDN until this is fixed.

mbomb007 commented 1 week ago

The repo doesn't appear to be maintained anymore. Nothing has been committed or merged in two years, neither on this repo, nor in any other repo by the main two maintainers.

Can someone contact a maintainer or someone with access to merge commits?

icf-chartmann commented 4 days ago

I'm emailing the maintainer at matt@modeldba.com

Hi Matt,

There is a PR (https://github.com/Choices-js/Choices/pull/1161) to replace the newly malicious polyfill.io dependency for the Choices library. The PR has been reviewed and approved but requires the maintainer to merge. There are hundreds of thousands of Drupal websites using Webforms that rely on this plugin. Please review and merge. I will help find a new maintainer if you’re interested, but for now, please take action on this critical security issue.

Sincerely, Carey Hartmann and the Drupal Community