Security Concern: Remove Reference to Malicious polyfill.io Script

benwinding / quill-image-compress

A Quill rich text editor Module which compresses images uploaded to the editor

https://benwinding.github.io/quill-image-compress/src/demo.html

MIT License

123 stars 30 forks source link

Security Concern: Remove Reference to Malicious polyfill.io Script #50

Closed piniamiram-lv closed 4 months ago

piniamiram-lv commented 4 months ago

Hello,

I noticed that your project references cdn.polyfill.io in both demo.html and the README file. Recently, polyfill.io was reported as malicious, which poses a security risk.

Could you please provide an updated version of the package that removes any reference to this vulnerable script?

For more information, please refer to the following sources:

https://www.theregister.com/2024/06/25/polyfillio_china_crisis/ https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk

benwinding commented 4 months ago

Thanks for reporting that @piniamiram-lv 🙏

I've actually done a search, and there's a few references in my repos 😨

https://github.com/search?q=owner%3Abenwinding%20polyfill.io&type=code

Will begin migrating off them 👌

benwinding commented 4 months ago

Actually looking like they've terminated the domain, so not really an urgent concern tbh...

https://x.com/malwrhunterteam/status/1806074377383121148

piniamiram-lv commented 4 months ago

@benwinding thanks for your reply, I guess you're right and it's not that urgent, this is also mentioned here: https://sansec.io/research/polyfill-supply-chain-attack, but I think it's still recommended to remove the references from the code.

benwinding commented 4 months ago

Done in 6d248f4bd483b0a0d669be2adc4637060ea0057f