Closed Blackclaws closed 1 day ago
Oh well spotted, I've removed it from the demo after someone reported it through a security advisory, but forgot about the READMEs. I'll try to publish a patch next week so it goes away on NPM as well.
I've published v12.0.1 on NPM to update the READMEs there. Thanks for the report.
Describe the bug
Polyfill.io is recommended in certain places: https://github.com/silx-kit/h5web/blob/main/packages/app/README.md
This site is known to host malware these days: https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/
It should be removed as any modern browser has these polyfills installed anyhow or they should at least be served locally or from a known CDN such as cloudflare.