pollyfill.io vulnerability #2914
Comments
|
Hello @fbravosanchez, Thanks for this. What exactly did you tech team flag on this? Was it the actual site or they just scrubbed the repository for the pollyfill? To me, it looks like pollyfill is only displayed in one location, a test file... obviously this would need to be updated, but would have no impact on the package itself. @gvwilson might need to take a look at this, if not already on the radar. |
|
I've removed the url from the test, it was the only reference in our code. |
|
thank you |
|
Thank you ALL for your responses. I don't have any detail of what my institution found they only said that they used "various search engines" to flag the possible presence of "polyfill.io" in our dash server (now running again: http://203.101.225.95/). At least this query served to clear that test file reference |
Thanks so much for your interest in Dash!
Before posting an issue here, please check the Dash community forum to see if the topic has already been discussed. The community forum is also great for implementation questions. When in doubt, please feel free to just post the issue here :)
Is your feature request related to a problem? Please describe.
I was running a server using dash which has been flagged by my institution as possibly vulnerable to JavaScript supply chain attack due to the recent pollyfill.io vulnerability https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/
I am struggling to establish if the vulnerability relates to dash or one of the dependencies needed to create the server.
Describe the solution you'd like
Indicate if the vulnerability is related to dash and a resolution if so
Describe alternatives you've considered
Tried tracking the vulnerability to other dependencies but haven't been able due to my lack of js knowledge
The text was updated successfully, but these errors were encountered: