Bind polyfill still needed? It has been flagged as 'exposed dangerous method or function'

[paulmsmith]

Developers in my service team have informed me the 'bind' polyfill has been flagged in some automated security/threat testing as Common Weakness Enumeration 749 because of line 125.

bound = Function('binder', 'return function (' + boundArgs.join(',') + '){ return binder.apply(this, arguments); }')(binder);

We think it is upset because that bit of code is effectively an inline 'eval' which technically could be used as part of a cross-site scripting exploit.

I thought it might be worth adding this issue to help others.

I wonder if the polyfill is still needed actually? CanIUse suggests to me that this polyfill is for IE6 - IE8 and I think the GOVUK Design System team are now working to drop support for IE8?

[querkmachine]

Hi @paulmsmith,

You're correct that this is a polyfill for IE8, which we still support in GOV.UK Frontend. We're still at least a couple of months out from dropping support for it completely, but it will eventually be removed as part of #2506.

The polyfill we use is derived from Polyfill.io. Their version of the code is here, though they have since removed support for IE8 and this polyfill with it, so it's unlikely that they will respond to a security report.

Although it being flagged as a security issue isn't great, this code will only be executed by IE8 and similarly old browsers outside of our support remit, which feels like it mitigates the risk of a serious or widespread security threat.

I've added this to our list of known validation warnings for now, but I don't think it's likely we'll fix this before we remove polyfills anyway.