On the support/4.x branch, replace links to the polyfill.io website in the comments of our vendored polyfills with the following note at the top of the file:
/**
* NOTE
*
* These polyfills were generated using polyfill.io, which was reported as compromised on 25th June 2024.
*
* We generated this code well before the compromise, and it is free of malicious code.
* However, we recommend checking any polyfills you have generated in a similar way.
*/
Why
polyfill.io was reported as compromised on 25th June 2024. While our code doesn't load scripts directly from the live service, the polyfills in govuk-frontend had been extracted from this service while it was free of malicious code. These extracts have comments pointing to the polyfill.io website, which would lead our users to a malicious site.
Who needs to work on this
Developers
Who needs to review this
Developers
Done when
[x] Comments linking to polyfill.io in our polyfills have been removed in favour of the note above.
What
On the
support/4.x
branch, replace links to the polyfill.io website in the comments of our vendored polyfills with the following note at the top of the file:Why
polyfill.io was reported as compromised on 25th June 2024. While our code doesn't load scripts directly from the live service, the polyfills in govuk-frontend had been extracted from this service while it was free of malicious code. These extracts have comments pointing to the polyfill.io website, which would lead our users to a malicious site.
Who needs to work on this
Developers
Who needs to review this
Developers
Done when