search

GoogleChrome / lighthouse

Automated auditing, performance metrics, and best practices for the web.
https://developer.chrome.com/docs/lighthouse/overview/
Apache License 2.0
28k stars 9.32k forks source link

Security: Polyfill Supplay Chain Attack #16090

Closed and-who closed 3 days ago

and-who commented 3 days ago

Summary Currently there is an active Security Issue: https://sansec.io/research/polyfill-supply-chain-attack

Which warns about the usage of 'cdn.polyfill.io'.

This Project has third-party-web listet as a Dependency, which uses this URL (Could be just Test URLs but better be sure)

starsinmypockets commented 3 days ago

+1

connorjclark commented 3 days ago

There's no issue here.

nolanlf commented 3 days ago

Thanks for noting there is not an issue. Would it be possible to get context on why it is not an issue when the treemap/app/debug.json file references polyfill.io? (Is it just an old debug log, vs config... and are there risks polyfill.io could be called during debugging?). Thank you!

connorjclark commented 3 days ago

That's a test file and the url is just displayed never fetched.

nolanlf commented 3 days ago

Thank you. Perfect!