[security] polyfill.io included via outdated RubixML fork

[tgoeg]

Not posting this secretly as this is already known across the web.

This apps composer.json includes rubixML via https://github.com/nextcloud-deps/RubixML That repo is behind the current master of RubixML which has this already fixed.

Still including it: https://github.com/nextcloud-deps/RubixML/blob/master/mkdocs.yml

Already fixed: https://github.com/RubixML/ML/commit/fef1033456f3b347e05b0a193919120b415f4127

I don't know who's responsible for the nextcloud-deps fork, but please either use another, current source or (make people) update the fork. Thanks!

[kesselb]

Thank you, that's a good finding.

Please report it via https://hackerone.com/nextcloud.

[tgoeg]

Done.

[tgoeg]

Well, that wasn't all that successful :-)

I still think placing vulnerable code on production systems is not the best idea, even if the code is not in use. I may not see the other report, there's probably a more promising fix there.