OHDSI / Atlas

ATLAS is an open source software tool for researchers to conduct scientific analyses on standardized observational data
http://atlas-demo.ohdsi.org/
Apache License 2.0
272 stars 137 forks source link

Polyfill.io vulnerability #2949

Open billsanto opened 2 months ago

billsanto commented 2 months ago

Our security team detected the presence of polyfill in the application and it is rated as a high risk vulnerability. Is it possible to disable this, pending an update?

https://thehackernews.com/2024/06/over-110000-websites-affected-by.html

Invicti Enterprise identified the usage of Pollyfill in the target web server’s HTTP response. Polyfill.io, a widely used JavaScript library, was compromised following its acquisition by Funnull, a China-based CDN company. Malicious code was injected into the library, redirecting users to harmful websites. Impact Affected Users: Over 110,000 websites Nature of Malicious Activity: Redirecting users to sports betting and pornographic sites. Specific activation on certain mobile devices at particular times. Delayed execution to evade web analytics detection. Avoidance of activation when an admin user is detected.

chrisknoll commented 2 months ago

I would be fine with this. There was an idea to apply babel to our build pipeline, but I think it can bloat our code by introducing polyfills that are not necessary in modern browsers.

We need someone familiar with the build chain to extract babel/polyfil from the build chain.