Please remove Polyfill supply chain attack

Seconding this request – the file:

/src/Dependencies/RocketLazyload
/Assets.php

has a reference to pollyfill.io, loading a JavaScript file from this domain (which as Sebastian has pointed out is now considered compromised). Please move this to either CloudFlare’s mirror or bring the file local (from a trusted source).

We recommend anyone using this plugin deactivated it until an update has been issued to correct this issue.

Please confirm this.

According to the code it seems that since v 2.1.2 the polyfill will only be loaded if you have explicitly added a filter to enable it, otherwise it should not be loaded.

from 2.1.2: “Enhancement: Disable polyfill for intersectionObserver by default, added a way to activate it instead”

Therefore if the site using this plugin didn’t set up a filter for this it should be fine.

However I still see a reference to polyfill.io in the new version here in the method/function getLazyloadScript while the polyfill doesn’t seem to be enabled at any time since there is no place in the plugins code to change the polyfill arg to true, it’s there.

/rocket-lazy-load/vendor/wp-media/rocket-lazyload-common/src/Assets.php

As sel has mentioned, this plugin still contains a reference to pollyfill.io in the file:

/vendor/wp-media/rocket-lazyload-common/src/Assets.php

Can this be addressed so we can reactivate it as a safe plugin?

@stopps The polyfill reference has already been removed since friday.

@coquardcyr – Thanks for getting back to to me. The reference has been removed from:

/rocket-lazy-load/vendor/wp-media/rocket-lazyload-common/src/Assets.php

from but not from:

vendor/wp-media/rocket-lazyload-common/src/Assets.php

Which means the plugin is still being flagged by security software. I’m looking at Version 2.3.7.

@stopps arf the rocket-lazyload-common shouldn’t be in vendors.

We are going to fix the polyfill reference and the vendor thing in the release 2.3.8 that we are currently testing internally.

Anyway, thanks for your help on this one!

@coquardcyr Thanks for confirming the removal in version 2.3.8, do you have a timeline for when this will be released?

All the best,

@stopps We were working on releasing it while you sent the message ??

@coquardcyr Excellent – many thanks, looking forward to getting this reactivated on client sites. Good work.

I have the newest version (2.3.9) and it’s getting flagged by wordfence. Do I need to adjust any settings?

Hey @myinvisiblebox ,

I tried to install both plugin and scan using Wordfence, and I got nothing being flagged.

I guess the best move here for you would be to reach Wordfence support to see why they flagged the plugin as there is not anymore any reference in our codebase to polyfill.