Pollyfill.io security issue

  • I’m getting multiple plugin warnings for Pollyfill.io

    Does anyone know of a fix or should we be worried about this?

    Various Plugins <= Various Version – Use of Polyfill.io
    Multiple plugins for WordPress are vulnerable to malicious redirection in various versions. This is due to the use of Polyfill.io. Polyfill.io is a JavaScript library used to streamline delivery of content across older browsers and was taken over by malicious threat actors that used the service to redirect victims to malicious websites. While many WordPress plugins utilize Polyfill.io, not all of them may have been delivering malicious content. Regardless, it is recommended to update to a version of the plugin where Polyfill is no longer used or manually remove the use of Polyfill.io from the plugin.

Viewing 1 replies (of 1 total)

  • It’s important to clarify that, while the utility of polyfills today is somewhat debatable, the problem is not in the library’s code itself. This is a deliberate malicious act by the new owners of one (but the most popular) 3rd-party CDN service that distributes the library.

    Note also that WordPress bundles a local copy of the library (/wp-includes/js/dist/vendor/wp-polyfill.min.js). If these plugin and theme developers are following basic WordPress coding standards, they should be enqueuing the local copy instead of hotlinking to an external one.

    If you trust Cloudflare (their technology and security promise, and not their politics) and use their CDN/proxy, they have a simple toggle that automatically replaces all references to polyfill.io with their mirror cdnjs.cloudflare.com/polyfill/.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.

Tags