Closed siliconforks closed 1 day ago
I noticed that this plugin appears to load a script from cdn.polyfill.io if window.Promise is not defined:
cdn.polyfill.io
window.Promise
https://github.com/weDevsOfficial/wp-user-frontend/blob/v4.0.7/includes/Admin/Forms/Admin_Form_Builder.php#L205-L211
The cdn.polyfill.io domain appears to be no longer trustworthy:
https://sansec.io/research/polyfill-supply-chain-attack
In practice this is probably not really a vulnerability since essentially every browser has built-in support for window.Promise these days (so the script will never be loaded). But I think it would be best to remove this.
Thank you for bringing it to our attention.
As an FYI WordFence has flagged this plugin - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-frontend
Fixed
I noticed that this plugin appears to load a script from
cdn.polyfill.io
ifwindow.Promise
is not defined:https://github.com/weDevsOfficial/wp-user-frontend/blob/v4.0.7/includes/Admin/Forms/Admin_Form_Builder.php#L205-L211
The
cdn.polyfill.io
domain appears to be no longer trustworthy:https://sansec.io/research/polyfill-supply-chain-attack
In practice this is probably not really a vulnerability since essentially every browser has built-in support for
window.Promise
these days (so the script will never be loaded). But I think it would be best to remove this.