-
AuthorPosts
-
June 29, 2024 at 7:28 am #1460027
I received this Google alert.
—
Hello Google Maps Platform Customer,We’re writing to let you know that a security issue may be affecting websites using specific third-party libraries (including polyfill.io).
What happened
We have become aware of a security issue that may be affecting websites using specific third-party libraries (including polyfill.io). This issue can sometimes redirect visitors away from the intended website without website owner knowledge or permission, or potentially cause other malicious behavior. Many of the Maps JavaScript API samples in the Developer Documentation previously included a polyfill.io script declaration. We have removed this from those samples. If you have used the Maps JavaScript API samples that contain this declaration, we recommend removing the declaration.What to do
Please see below to learn how to take action, if needed:
Investigate your website: Check your website’s code to see if you’re loading any compromised libraries (including polyfill.io).
Remove or replace the code: If you find compromised libraries, consider:
Hosting a clean, secure version of the code yourself
Switching to an alternative library or provider
Removing the library if you don’t need it
Re-deploy your code through your regular process.
For your reference, attached is a list of your projects where we have detected Maps Javascript API usage. Please check all sites associated with these projects.
—Anything to do manually to fix this or we need to wait for an update?
Thanks.
June 29, 2024 at 8:25 am #1460028For your reference, attached is a list of your projects where we have detected Maps Javascript API usage. Please check all sites associated with these projects.
thanks for the info – and these projects are Enfold Sites?
June 29, 2024 at 8:33 am #1460029Hey @Guenni007.
That is a list of my google projects, it is not a public one, so you should receive yours.
June 29, 2024 at 8:45 am #1460031thanks for the info – and these projects are Enfold Sites? Can you deduce where a use of polyfill in Enfold might come from?
Also, when I go to the demo pages with Google Maps usage – I can’t find a polyfill usage.June 29, 2024 at 8:50 am #1460032Yes, this is the scenario.
– Google Project 1
API Used: Google Maps
Credentials.– Enfold Site
Maps Credentials in Enfold settings
A Map in the contact pageThat is it.
No idea where it is coming from and how Enfold inserts the map, but as there is nothing else in the site, the map is from enfold and the alert is for maps, that is why I opened this thread.
June 29, 2024 at 9:24 am #1460036How can I explicitly test whether it is loaded – here, for example, I can’t find anything in the network analysis.
https://kriesi.at/themes/enfold-construction/contact/
i think that the dotlottie is using some polyfill features. And some older parallax scripts do too.
June 29, 2024 at 9:36 am #1460037Yeah, inspecting the code I was not able to find it either.
Searching Enfold files there are pollyfill references in this files.
class-avia-gutenberg.php
leaflet-src.esm.js
leaflet-src.esm.js.map
leaflet-src.js
leaflet-src.js.map
dotlottie-player.js
package-lock.json
avia.jsWhich one is causing the problem and how?
No idea.
June 29, 2024 at 1:06 pm #1460051Hi
I also received the notification. It is a warning that clearly relates to the use of maps. We got the message, because we have a project on google cloud to integrate the google maps api.
I’ve found several posts related to the issue.
1 – Polyfill.io, a domain used by more than 110,000 websites to deliver javascript code, has been used for a supply chain attack, potentially leading to data theft and clickjacking attacks.
https://www.spiceworks.com/it-security/cyber-risk-management/news/polyfill-supply-chain-attack-infects-websites/
2 – It’s important to clarify that, while the utility of polyfills today is somewhat debatable, the problem is not in the library’s code itself. This is a deliberate malicious act by the new owners of one (but the most popular) 3rd-party CDN service that distributes the library.
Note also that WordPress bundles a local copy of the library (/wp-includes/js/dist/vendor/wp-polyfill.min.js). If these plugin and theme developers are following basic WordPress coding standards, they should be enqueuing the local copy instead of hotlinking to an external one.
Best Regards
ManuJune 29, 2024 at 10:38 pm #1460409Hi,
Thanks for sharing manurimini
The theme doesn’t include polyfill or link to a external one, but uses the registered WordPress version with the relative path of /wp-includes/js/dist/vendor note that this path is in the WordPress files.Best regards,
MikeJune 29, 2024 at 10:45 pm #1460414Hey @Mike.
That means you will remove that use?
June 29, 2024 at 11:32 pm #1460431Hi,
I have reported this issue here feel free to review it and add any comments and subscribe to it to follow as the Dev Team reviews it.Best regards,
MikeJune 30, 2024 at 2:49 pm #1460626Hi
I’m trying to understand if there is a link to polyfill.io somewhere in the theme but couldn’t find it.
The only hint I could find is that the plugin OpenStreetMap may be affected.
https://www.wordfence.com/threat-intel/vulnerabilities/detail/various-plugins-various-version-use-of-polyfillio
Hope it helps.
Best Regards
Manu- This reply was modified 5 months, 3 weeks ago by manurimini.
June 30, 2024 at 3:17 pm #1460633Hi,
There is no link to polyfill.io in the theme, the theme only uses wp-polyfill, that is the built-in WordPress polyfill file at /wp-includes/js/dist/vendor, so even if the theme didn’t have this reference the WordPress core still does, so I believe this will still be an issue until WordPress removes it.
You can see the open issue here, it is open to the public.Best regards,
MikeJuly 7, 2024 at 3:46 pm #1461546Hi,
The Dev Team has reviewed this and points out that the js file is loaded by WP and only links to the distributed file ../wp-includes/js/dist/vendor/wp-polyfill.js
Enfold doesn’t hotlink to the polyfill.io site, so we will have to wait for WP to apply a patch for this issue as there are a lot of dependencies on wp-polyfill for the block editor and react js.
We will close this thread, but the issue is open here if you wish to comment, thank you for your understanding and using Enfold.Best regards,
Mike -
AuthorPosts
- The topic ‘[Security Alert]: Polyfill.io Issue for Google Maps Platform users’ is closed to new replies.