w3cbot
commented
2 weeks ago mojitane marked as non substantive for IPR from ash-nazg.
Closed mojitane closed 2 days ago
jlczuk
commented
5 days ago @mojitane You might want to include karma.config.js as it makes reference to polyfill.io as well. Scanners aren't always very bright and err on the side of caution. So the presence of polyfill.io in any file could be sufficient cause to flag the package as vulnerable.
There has been a polyfill.io cdn supply chain attack. It is advised to remove all references to this cdn immediately. This PR removes the compromised polyfill.io cdn from the demo index.html file as well as the main readme and replaces them with cloudflare cdn.
Even though it is just referenced in the demo files it is critical to remove it immediately as people reading the docs might use it. Additionally many companies scan their repositories for compromised urls and are now unable to use this package.
Details: https://sansec.io/research/polyfill-supply-chain-attack