govuk-frontend icon indicating copy to clipboard operation
govuk-frontend copied to clipboard

Published 20 hours ago verified publisher icon alphagov

Replace links to polyfill.io in comments on `support/v3.x` branch

Open romaricpascal opened this issue 1 week ago • 0 comments

What

On the support/3.x branch, replace links to the polyfill.io website in the comments of our vendored polyfills with the following note at the top of the file:

/**
 * NOTE
 * 
 * These polyfills were generated using polyfill.io, which was reported as compromised on 25th June 2024.
 * 
 * We generated this code well before the compromise, and it is free of malicious code.
 * However, we recommend checking any polyfills you have generated in a similar way.
 */

Why

polyfill.io was reported as compromised on 25th June 2024. While our code doesn't load scripts directly from the live service, the polyfills in govuk-frontend had been extracted from this service while it was free of malicious code. These extracts have comments pointing to the polyfill.io website, which would lead our users to a malicious site.

Who needs to work on this

Developers

Who needs to review this

Developers

Done when

  • [ ] Comments linking to polyfill.io in our polyfills have been removed in favour of a generic note.

romaricpascal avatar Jun 27 '24 10:06 romaricpascal