Pollyfill security issue

[mgmason]

A user points out that Google Maps is alerting users about a Pollyfill security issue, and requests that the theme stops loading it. It seems that the issue is from 3rd-party CDN services that override the WordPress Pollyfill file with one that has malicious code. While Enfold links to the WordPress file, the user requests that the theme stops doing so there is not a chance of the malicious one to be loaded, it is unclear if WordPress will also be doing anything similar.

Report of error ▸ https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/ WordPress issue ▸ https://wordpress.org/support/topic/pollyfill-io-security-issue/ Thread ▸ https://kriesi.at/support/topic/security-alert-polyfill-io-issue-for-google-maps-platform-users/#post-1460051

[InoPlugs]

@mgmason

As far as I see WP uses this for block editor and react.js

It is not possible to remove that without risk of breaking sites. We have to wait for WP to apply a patch.

Enfold does not link to the files.

As WP ships the files - there is a possible hack for WP core - but this is not update safe :

• Rename all the Pollyfill files to complete different names
• Change the enqueue to the new file names

[peterolle]

What will happen if WordPress remove it completely and Enfold is still calling it? Maybe it is safer to not use it?

Just a thought.

[InoPlugs]

@peterolle

I do not see where Enfold enqueues this. Can you please point out where you see it and how to reproduce ?

[peterolle]

I do not see where Enfold enqueues this. Can you please point out where you see it and how to reproduce ?

I don't know either. I was just pointing out that if WordPress decides to remove the thing and Enfold keeps using it, then everything will break.

[InoPlugs]

@peterolle

Thanks for your feedback. I keep it in my mind.