axelboc
commented
4 days ago Oh well spotted, I've removed it from the demo after someone reported it through a security advisory, but forgot about the READMEs. I'll try to publish a patch next week so it goes away on NPM as well.
Describe the bug
Polyfill.io is recommended in certain places: https://github.com/silx-kit/h5web/blob/main/packages/app/README.md
This site is known to host malware these days: https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/
It should be removed as any modern browser has these polyfills installed anyhow or they should at least be served locally or from a known CDN such as cloudflare.