Remove compromised polyfill CDN script

  • Resolved Ov3rfly

    (@ov3rfly)


    4 months, 3 weeks ago

    Please remove compromised polyfill CDN script as soon as possible, thanks.

        /**
         * Print js scripts in admin head
         *
         * @since 2.5
         *
         * @return void
         */
        public function builder_mixins_script() {
            ?>
                <script>
                    if (!window.Promise) {
                        var promise_polyfill = document.createElement('script');
                        promise_polyfill.setAttribute('src','https://cdn.polyfill.io/v2/polyfill.min.js');
                        document.head.appendChild(promise_polyfill);
                    }
                </script>

    More here: https://thehackernews.com/2024/06/over-110000-websites-affected-by.html

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support brandonco

    (@brandonco)

    Hi @ov3rfly,

    Thank you for reaching out, Our developers have been made aware of this issue and it looks like this it has been patched and should be resolved. You can check the status?here. Please let us know if you have more questions for us.

    Thank you!

    Thread Starter Ov3rfly

    (@ov3rfly)

    Feel free to mark this issue as ‘resolved’ after a plugin update with a fix has been released by your developers here, not before.

    Thanks.

    Plugin Support brandonco

    (@brandonco)

    Hi @ov3rfly ,

    I’m not sure if you’ve taken the time to check the issue but It does show as being resolved and the patch looks to have been committed 3 days ago. Please update your plugin if needed and let us know if the issue persist on your end.

    Thanks

    Thread Starter Ov3rfly

    (@ov3rfly)

    Latest release here is 1.6.23 (19 March, 2024). The issue was clearly described, waiting for an official release of a fix in WordPress plugin repository, no time/funding to look at github patches, sorry. Can’t be too hard to host polyfill package locally within plugin package and by that at same time solve GDPR issues with leaking IP address etc. to external servers.

    Plugin Support brandonco

    (@brandonco)

    Hi @ov3rfly, just checking to make sure you’ve updated your weForms plugin and the error no longer persist. If so, we’d like to close out this issue, otherwise please share the new error message so that we can look into it further for you. Awaiting your response.

    Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.