search

dotCMS / core

Headless/Hybrid Content Management System for Enterprises
http://dotcms.com
Other
828 stars 464 forks source link

Polyfill checkup #29108

Closed mbiuki closed 1 month ago

mbiuki commented 1 month ago

Parent Issue

No response

Problem Statement

https://dotcms.slack.com/archives/C5LHLNZ25/p1720021881001729

Steps to Reproduce

https://dotcms.slack.com/archives/C5LHLNZ25/p1720021881001729

Acceptance Criteria

https://dotcms.slack.com/archives/C5LHLNZ25/p1720021881001729

dotCMS Version

latest.

Proposed Objective

Security & Privacy

Proposed Priority

Priority 3 - Average

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

No response

Assumptions & Initiation Needs

No response

Quality Assurance Notes & Workarounds

No response

Sub-Tasks & Estimates

No response

mbiuki commented 1 month ago

Pollyfill is for JS in general - old approach to allow to execuite es6x newer versions of js in old browsers - the former domain used to host pollyfill.io - is not owned by some offshore actors - anyone realying on pollyfill - linking directly to that old domain - it's a serious vuln.

Recommendation: same as Drappel and Akamai, issue a communication to customers.

Do we need to confirm that we are not using it?

pollyfill library - maintained by npm package there might be some customers that are referring to the polyfill.io bundle there

Do an investigation to see if we are really using it?

jdotcms commented 1 month ago

we have reviewed our file called polyfill- and it is being generated by Angular build and it is not being retrieved from a thirdparty CDN, so we are not exposed to a supply chain vulnerability and from this issue

https://github.com/angular/angular/issues/56760#issuecomment-2197551520

"Angular's polyfill section is unrelated to this service, as is zone.js"

mbiuki commented 1 month ago

We have investigated and dotCMS is not affected by this. Closing the ticket.