esabol
commented
4 months ago Hello? Is anyone there?
Open esabol opened 4 months ago
esabol
commented
4 months ago Hello? Is anyone there?
levinmr
commented
4 months ago Please provide the site URL where you are experiencing this error so that we can attempt to reproduce the problem. Thanks
levinmr
commented
4 months ago @esabol I'm having trouble reproducing the problem. I tried the above URL in chrome/firefox/safari. The only error I see is the following
esabol
commented
4 months ago We're experiencing heavy load currently, obviously. But I gave the snippet of HTML we use above, so I don't see how looking at our website will help you.
levinmr
commented
4 months ago Yes, I can see that the same snippet exists in the source HTML for the page. When I load the page, however, I do not see an error.
It would be helpful to understand if you could provide the context of where and when you are seeing errors from the DAP code
esabol
commented
4 months ago Sorry, we are using Java's HtmlUnit to test and validate various web services on our site, and that's where we are seeing the error. https://www.htmlunit.org/ It's using the Rhino JavaScript engine. There must be some recent change to Universal-Federated-Analytics-Min.js that requires some new JavaScript feature that Rhino doesn't support, I guess?
levinmr
commented
3 months ago There is one change that happened recently which might be the culprit. v8.2 (e5b103a) removed polyfill logic from the minified script. This logic would have added support for methods defined in newer JavaScript standards (ES5, ES6, etc) if the browser was missing those methods. The polyfill logic was removed due to a security concern with including the library, details follow
The polyfill.js is a popular open source library to support older browsers. Thousands of sites embed it using the cdn.polyfill.io domain. In February 2024 a Chinese company (Funnull) bought the domain and the associated Github account. The company has modified the Polyfill.js script to introduce malicious code in to websites. Any script adopted from cdn.polyfill.io would immediately be downloading malicious code from the Chinese company's site.QID Detection Logic (Unauthenticated): This QID checks if the target is using the js file.
Presence of this javascript allows attackers to embed malicious JavaScript into the users website allowing them to steal sensitive data redirect users to malicious websites and possible code execution.
Given that the modern browsers do not require Polyfill original polyfill author recommends to not use Polyfill at all. Recommended alternatives are CDN such as Cloudflare and Fastly
It's tough to know which method support is missing from HtmlUnit/Rhino which would be causing the error. However it does seem to be a common problem with those tools, and updates are made often to provide more support for modern JavaScript features.
esabol
commented
3 months ago Well, instead of removing the polyfill, I don't know why you just wouldn't include the original, unmodified version from Cloudflare instead.
esabol
commented
3 months ago Please bring back the polyfill for improved compatibility.
Recently, we started to see this JavaScript error from Universal-Federated-Analytics-Min.js:
invalid property id (https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=NASA#23)Our website's HTML includes this snippet:
Please advise and/or rectify the error.