search

putyourlightson / craft-blitz

Intelligent static page caching for creating lightning-fast sites with Craft CMS.
https://putyourlightson.com/plugins/blitz
Other
147 stars 35 forks source link

Polyfill.io security compromised in Craft 3 version #677

Closed joelstrom closed 1 week ago

joelstrom commented 1 week ago

Bug Report

Was unable to send in a security report, so posting it here instead.

Summary

Polyfill.io library has been compromised after the domain has been sold (https://sansec.io/research/polyfill-supply-chain-attack)

Details

BlitzVariable.php is loading in an unsafe version of this script. Can this be changed to one of the safe mirrors or removed completely if possible?

I know Craft 3 is old by this point, but is there any chance you would still be updating the version for it?

Diagnostics Report

Craft CMS 3 Blitz Version < 3.14.0

pixleight commented 1 week ago

Just submitted a PR to patch this: #678

bencroker commented 1 week ago

This was addressed months ago in Blitz 4 whereas Blitz 3 was left behind, so thank you for bringing this to my attention. Fixed and released as a critical update in 3.15.0.