-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pollyfill.io vulnerability #2914
Comments
Hello @fbravosanchez, Thanks for this. What exactly did you tech team flag on this? Was it the actual site or they just scrubbed the repository for the pollyfill? To me, it looks like pollyfill is only displayed in one location, a test file... obviously this would need to be updated, but would have no impact on the package itself. @gvwilson might need to take a look at this, if not already on the radar.
|
I've removed the url from the test, it was the only reference in our code. |
thank you |
Thank you ALL for your responses. I don't have any detail of what my institution found they only said that they used "various search engines" to flag the possible presence of "polyfill.io" in our dash server (now running again: http://203.101.225.95/). At least this query served to clear that test file reference |
Thanks so much for your interest in Dash!
Before posting an issue here, please check the Dash community forum to see if the topic has already been discussed. The community forum is also great for implementation questions. When in doubt, please feel free to just post the issue here :)
Is your feature request related to a problem? Please describe.
I was running a server using dash which has been flagged by my institution as possibly vulnerable to JavaScript supply chain attack due to the recent pollyfill.io vulnerability https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/
I am struggling to establish if the vulnerability relates to dash or one of the dependencies needed to create the server.
Describe the solution you'd like
Indicate if the vulnerability is related to dash and a resolution if so
Describe alternatives you've considered
Tried tracking the vulnerability to other dependencies but haven't been able due to my lack of js knowledge
The text was updated successfully, but these errors were encountered: