-
Posts
-
I received this Google alert.
—
Hello Google Maps Platform Customer,We’re writing to let you know that a security issue may be affecting websites using specific third-party libraries (including polyfill.io).
What happened
We have become aware of a security issue that may be affecting websites using specific third-party libraries (including polyfill.io). This issue can sometimes redirect visitors away from the intended website without website owner knowledge or permission, or potentially cause other malicious behavior. Many of the Maps JavaScript API samples in the Developer Documentation previously included a polyfill.io script declaration. We have removed this from those samples. If you have used the Maps JavaScript API samples that contain this declaration, we recommend removing the declaration.What to do
Please see below to learn how to take action, if needed:
Investigate your website: Check your website’s code to see if you’re loading any compromised libraries (including polyfill.io).
Remove or replace the code: If you find compromised libraries, consider:
Hosting a clean, secure version of the code yourself
Switching to an alternative library or provider
Removing the library if you don’t need it
Re-deploy your code through your regular process.
For your reference, attached is a list of your projects where we have detected Maps Javascript API usage. Please check all sites associated with these projects.
—Anything to do manually to fix this or we need to wait for an update?
Thanks.
For your reference, attached is a list of your projects where we have detected Maps Javascript API usage. Please check all sites associated with these projects.
thanks for the info – and these projects are Enfold Sites?
Hey @Guenni007.
That is a list of my google projects, it is not a public one, so you should receive yours.
thanks for the info – and these projects are Enfold Sites? Can you deduce where a use of polyfill in Enfold might come from?
Also, when I go to the demo pages with Google Maps usage – I can’t find a polyfill usage.Yes, this is the scenario.
– Google Project 1
API Used: Google Maps
Credentials.– Enfold Site
Maps Credentials in Enfold settings
A Map in the contact pageThat is it.
No idea where it is coming from and how Enfold inserts the map, but as there is nothing else in the site, the map is from enfold and the alert is for maps, that is why I opened this thread.
How can I explicitly test whether it is loaded – here, for example, I can’t find anything in the network analysis.
https://kriesi.at/themes/enfold-construction/contact/
i think that the dotlottie is using some polyfill features. And some older parallax scripts do too.
Yeah, inspecting the code I was not able to find it either.
Searching Enfold files there are pollyfill references in this files.
class-avia-gutenberg.php
leaflet-src.esm.js
leaflet-src.esm.js.map
leaflet-src.js
leaflet-src.js.map
dotlottie-player.js
package-lock.json
avia.jsWhich one is causing the problem and how?
No idea.
Hi
I also received the notification. It is a warning that clearly relates to the use of maps. We got the message, because we have a project on google cloud to integrate the google maps api.
I’ve found several posts related to the issue.
1 – Polyfill.io, a domain used by more than 110,000 websites to deliver javascript code, has been used for a supply chain attack, potentially leading to data theft and clickjacking attacks.
https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/
2 – It’s important to clarify that, while the utility of polyfills today is somewhat debatable, the problem is not in the library’s code itself. This is a deliberate malicious act by the new owners of one (but the most popular) 3rd-party CDN service that distributes the library.
Note also that WordPress bundles a local copy of the library (/wp-includes/js/dist/vendor/wp-polyfill.min.js). If these plugin and theme developers are following basic WordPress coding standards, they should be enqueuing the local copy instead of hotlinking to an external one.
Best Regards
ManuHi,
Thanks for sharing manurimini
The theme doesn’t include polyfill or link to a external one, but uses the registered WordPress version with the relative path of /wp-includes/js/dist/vendor note that this path is in the WordPress files.Best regards,
MikeHey @Mike.
That means you will remove that use?
Hi,
I have reported this issue here feel free to review it and add any comments and subscribe to it to follow as the Dev Team reviews it.Best regards,
MikeHi
I’m trying to understand if there is a link to polyfill.io somewhere in the theme but couldn’t find it.
The only hint I could find is that the plugin OpenStreetMap may be affected.
https://www.wordfence.com/threat-intel/vulnerabilities/detail/various-plugins-various-version-use-of-polyfillio
Hope it helps.
Best Regards
ManuHi,
There is no link to polyfill.io in the theme, the theme only uses wp-polyfill, that is the built-in WordPress polyfill file at /wp-includes/js/dist/vendor, so even if the theme didn’t have this reference the WordPress core still does, so I believe this will still be an issue until WordPress removes it.
You can see the open issue here, it is open to the public.Best regards,
Mike
- You must be logged in to reply to this topic.