Closed joelstrom closed 1 week ago
Was unable to send in a security report, so posting it here instead.
Polyfill.io library has been compromised after the domain has been sold (https://sansec.io/research/polyfill-supply-chain-attack)
BlitzVariable.php is loading in an unsafe version of this script. Can this be changed to one of the safe mirrors or removed completely if possible?
I know Craft 3 is old by this point, but is there any chance you would still be updating the version for it?
Craft CMS 3 Blitz Version < 3.14.0
Just submitted a PR to patch this: #678
This was addressed months ago in Blitz 4 whereas Blitz 3 was left behind, so thank you for bringing this to my attention. Fixed and released as a critical update in 3.15.0.
Bug Report
Was unable to send in a security report, so posting it here instead.
Summary
Polyfill.io library has been compromised after the domain has been sold (https://sansec.io/research/polyfill-supply-chain-attack)
Details
BlitzVariable.php is loading in an unsafe version of this script. Can this be changed to one of the safe mirrors or removed completely if possible?
I know Craft 3 is old by this point, but is there any chance you would still be updating the version for it?
Diagnostics Report
Craft CMS 3 Blitz Version < 3.14.0