Dear customers,
As you may already be aware of, recent official security reports, CSIRT and CVE-2024-38526, have warned about a vulnerability that affects the supply chain of the Polyfill.io bookstore. Because of this, we prepared this statement to provide context and possible actions to customers who could potentially be affected.
What is a polyfill?
A polyfill is a piece of code that allows websites and applications to function correctly in older browsers. It acts as a bridge, providing modern functionality that these browsers do not support natively. This is crucial to ensure that all users have a consistent experience, regardless of which browser they use.
Polyfills work by detecting whether a feature is supported by the browser and, if it is not, implementing an alternative that mimics the desired behavior. This allows developers to use the latest technologies without sacrificing compatibility with older browsers. Additionally, it simplifies code maintenance by centralizing compatibility logic.
What is a Polyfill.io?
Polyfill.io was a popular web service that provided polyfills to websites dynamically. Polyfills, as explained above, are pieces of code that allow websites to function correctly in older browsers.
Polyfill.io allowed developers to easily include polyfills on their websites without having to manually download and manage polyfill libraries.
Is the security of the Modyo Platform compromised by this vulnerability?
The most recent versions of the Modyo 10 platform do not use any type of polyfill. In the case of older versions, such as Modyo 8 and Modyo 9, the polyfill uses are packaged internally and the committed CDN is not used.
In the case of websites and Web applications created on Modyo Channels by our clients, it is up to each one to verify their uses within their templates and Widgets.
What if my code uses Polyfill.io?
If your code uses the Polyfill Committed CDN, the recommendation is to implement it using one of the alternatives explained below. Regardless of that, the CDN domain was deregistered by the name provider to prevent the spread of potential activities malicious actions that could have originated.
Alternatives to Polyfill.io:
- cdnjs: It is a CDN (Content Delivery Network) that hosts many JavaScript libraries, including polyfills.
- core-js: It is a modular polyfill library that allows you to include only the polyfills you need.
- Polyfill.io (a cdnjs): Cloudflare has implemented a secure version of Polyfill.io on its CDN, cdnjs.
We hope we have clarified. For any additional questions, please contact us through our official support channels.
Regards,
Jose Antonio Silva
VP of Technology
Modyo