Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • #1460027

    I received this Google alert.


    Hello Google Maps Platform Customer,

    We’re writing to let you know that a security issue may be affecting websites using specific third-party libraries (including polyfill.io).

    What happened
    We have become aware of a security issue that may be affecting websites using specific third-party libraries (including polyfill.io). This issue can sometimes redirect visitors away from the intended website without website owner knowledge or permission, or potentially cause other malicious behavior. Many of the Maps JavaScript API samples in the Developer Documentation previously included a polyfill.io script declaration. We have removed this from those samples. If you have used the Maps JavaScript API samples that contain this declaration, we recommend removing the declaration.

    What to do
    Please see below to learn how to take action, if needed:
    Investigate your website: Check your website’s code to see if you’re loading any compromised libraries (including polyfill.io).
    Remove or replace the code: If you find compromised libraries, consider:
    Hosting a clean, secure version of the code yourself
    Switching to an alternative library or provider
    Removing the library if you don’t need it
    Re-deploy your code through your regular process.
    For your reference, attached is a list of your projects where we have detected Maps Javascript API usage. Please check all sites associated with these projects.

    Anything to do manually to fix this or we need to wait for an update?

    Thanks.

    #1460028

    For your reference, attached is a list of your projects where we have detected Maps Javascript API usage. Please check all sites associated with these projects.

    thanks for the info – and these projects are Enfold Sites?

    #1460029

    Hey @Guenni007.

    That is a list of my google projects, it is not a public one, so you should receive yours.

    #1460031

    thanks for the info – and these projects are Enfold Sites? Can you deduce where a use of polyfill in Enfold might come from?
    Also, when I go to the demo pages with Google Maps usage – I can’t find a polyfill usage.

    #1460032

    Yes, this is the scenario.

    – Google Project 1
    API Used: Google Maps
    Credentials.

    – Enfold Site
    Maps Credentials in Enfold settings
    A Map in the contact page

    That is it.

    No idea where it is coming from and how Enfold inserts the map, but as there is nothing else in the site, the map is from enfold and the alert is for maps, that is why I opened this thread.

    #1460036

    How can I explicitly test whether it is loaded – here, for example, I can’t find anything in the network analysis.

    https://kriesi.at/themes/enfold-construction/contact/

    i think that the dotlottie is using some polyfill features. And some older parallax scripts do too.

    #1460037

    Yeah, inspecting the code I was not able to find it either.

    Searching Enfold files there are pollyfill references in this files.

    class-avia-gutenberg.php
    leaflet-src.esm.js
    leaflet-src.esm.js.map
    leaflet-src.js
    leaflet-src.js.map
    dotlottie-player.js
    package-lock.json
    avia.js

    Which one is causing the problem and how?

    No idea.

    #1460051

    Hi
    I also received the notification. It is a warning that clearly relates to the use of maps. We got the message, because we have a project on google cloud to integrate the google maps api.
    I’ve found several posts related to the issue.
    1 – Polyfill.io, a domain used by more than 110,000 websites to deliver javascript code, has been used for a supply chain attack, potentially leading to data theft and clickjacking attacks.
    https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/
    2 – It’s important to clarify that, while the utility of polyfills today is somewhat debatable, the problem is not in the library’s code itself. This is a deliberate malicious act by the new owners of one (but the most popular) 3rd-party CDN service that distributes the library.
    Note also that WordPress bundles a local copy of the library (/wp-includes/js/dist/vendor/wp-polyfill.min.js). If these plugin and theme developers are following basic WordPress coding standards, they should be enqueuing the local copy instead of hotlinking to an external one.
    Best Regards
    Manu

    #1460409

    Hi,
    Thanks for sharing manurimini
    The theme doesn’t include polyfill or link to a external one, but uses the registered WordPress version with the relative path of /wp-includes/js/dist/vendor note that this path is in the WordPress files.

    Best regards,
    Mike

    #1460414

    Hey @Mike.

    That means you will remove that use?

    #1460431

    Hi,
    I have reported this issue here feel free to review it and add any comments and subscribe to it to follow as the Dev Team reviews it.

    Best regards,
    Mike

    #1460626

    Hi
    I’m trying to understand if there is a link to polyfill.io somewhere in the theme but couldn’t find it.
    The only hint I could find is that the plugin OpenStreetMap may be affected.
    https://www.wordfence.com/threat-intel/vulnerabilities/detail/various-plugins-various-version-use-of-polyfillio
    Hope it helps.
    Best Regards
    Manu

    • This reply was modified 5 months, 3 weeks ago by manurimini.
    #1460633

    Hi,
    There is no link to polyfill.io in the theme, the theme only uses wp-polyfill, that is the built-in WordPress polyfill file at /wp-includes/js/dist/vendor, so even if the theme didn’t have this reference the WordPress core still does, so I believe this will still be an issue until WordPress removes it.
    You can see the open issue here, it is open to the public.

    Best regards,
    Mike

    #1461546

    Hi,
    The Dev Team has reviewed this and points out that the js file is loaded by WP and only links to the distributed file ../wp-includes/js/dist/vendor/wp-polyfill.js
    Enfold doesn’t hotlink to the polyfill.io site, so we will have to wait for WP to apply a patch for this issue as there are a lot of dependencies on wp-polyfill for the block editor and react js.
    We will close this thread, but the issue is open here if you wish to comment, thank you for your understanding and using Enfold.

    Best regards,
    Mike

Viewing 14 posts - 1 through 14 (of 14 total)
  • The topic ‘[Security Alert]: Polyfill.io Issue for Google Maps Platform users’ is closed to new replies.