Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove malicious polyfill.io usage #1161

Merged
merged 1 commit into from
Aug 5, 2024
Merged

Remove malicious polyfill.io usage #1161

merged 1 commit into from
Aug 5, 2024

Conversation

alanhamlett
Copy link
Contributor

Polyfill.io is redirecting to malicious websites. This PR removes the optional and unnecessary polyfill.io usage.

@alanhamlett alanhamlett mentioned this pull request Jun 25, 2024
Closed
@alanhamlett alanhamlett mentioned this pull request Jun 26, 2024
Closed
@hotwebmatter
Copy link

I'm not a maintainer, but this looks good to me.

Merging this would also resolve #1162

There's some urgency here; without this patch, the Choices-js library functions as a vector for malware. 👾

mbomb007
mbomb007 approved these changes Jun 27, 2024
View reviewed changes
Copy link

@mbomb007 mbomb007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to go

@mbomb007
Copy link

I will also note that the website linked on the repo, choices-js[dot]github[dot]io/Choices/ contains the malicious CDN until this is fixed.

@mbomb007
Copy link

The repo doesn't appear to be maintained anymore. Nothing has been committed or merged in two years, neither on this repo, nor in any other repo by the main two maintainers.

Can someone contact a maintainer or someone with access to merge commits?

@icf-chartmann
Copy link

icf-chartmann commented Jul 1, 2024
edited
Loading

I'm emailing the maintainer at matt@modeldba.com

Hi Matt,

There is a PR (#1161) to replace the newly malicious polyfill.io dependency for the Choices library. The PR has been reviewed and approved but requires the maintainer to merge.
There are hundreds of thousands of Drupal websites using Webforms that rely on this plugin.
Please review and merge.
I will help find a new maintainer if you’re interested, but for now, please take action on this critical security issue.

Sincerely,
Carey Hartmann and the Drupal Community

@dontWatchMeCode dontWatchMeCode mentioned this pull request Jul 11, 2024
Closed
10 tasks
Xon added a commit to Xon/Choices.js that referenced this pull request Jul 29, 2024
@Xon
Merge remote-tracking branch 'alanhamlett/master'
f7b9a3b 
Remove malicious polyfill.io usage Choices-js#1161
Xon added a commit that referenced this pull request Aug 5, 2024
@Xon
Replace cdn.polyfill.io link (see #1163 #1161)
accf244
@Xon Xon merged commit c2f1b82 into Choices-js:master Aug 5, 2024
@Xon Xon mentioned this pull request Aug 6, 2024
Merged
9 tasks
@bspeare bspeare mentioned this pull request Aug 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbomb007 mbomb007 mbomb007 approved these changes

@Xon Xon Xon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@alanhamlett @hotwebmatter @mbomb007 @icf-chartmann @Xon