It’s time to review the usefulness of Polyfill and others in Core.

Hi, removing wp-polyfill dependencies is actually something that is happening, as for example this ticket related to the next version of WordPress.

In any case, this has to do with performance and dropping support for old browsers, not security issues like that one.

Polyfill is a general term and there are different “polyfill” libraries, the one that WordPress loads comes from @babel/polyfill which to my knowledge is not related to the mentioned library.

Besides, that security issue is related to the loading of a library using an external resource (their servers), which WordPress core does not do.

All included libraries in WordPress core are loaded from files included in your WordPress installation, not from external resources. In this case, this library is included in wp-includes/js/dist/vendor/wp-polyfill.js so a third party cannot modify it.

Hello, would you say it is safe not to remove the following scripts from my website’s footer?

/wp-includes/js/dist/vendor/wp-polyfill-inert.min.js?ver=3.1.2

/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0

No, it is not safe to remove the scripts, because they are core files.

It is safe to leave them, however, because as Francisco mentioned above, they are not a part of the Polyfill supply chain attack that has been gaining notoriety.

Fantastic, thank you. I’ve really struggled to find answers until your post. I will sleep a lot better tonight!