Mitigating polyfill[.]io Security Exploits

Acquia has been made aware that a common third party service, polyfill[.]io, has known security vulnerabilities which may impact any applications using this project. Further information regarding this vulnerability can be found on drupal.org: 3rd Party Libraries and Supply Chains - PSA-2024-06-26. The potential impact of this exploit includes but is not limited to the popular module: Drupal Webform module. A list of projects currently known to be impacted can be found here. 

Acquia recommends checking your codebase for any references to polyfill[.]io and making code changes if your application has a reliance on polyfill[.]io as a best practice. If no references to polyfill[.]io are found no further action is required. Instructions for this process can be found below: 

Step 1: Checking your codebase for any references to polyfill[.]io using the following commands: 

grep -R "polyfill\.io" docroot/modules

grep -R "polyfill\.io" docroot/themes

grep -R "polyfill\.io" docroot/profiles

Step 2: If you do find that polyfill[.]io is used: Acquia recommends updating the codebase to incorporate a newer, more reliable source for the polyfill[.]io files. Newer sources for polyfill[.]io can be found through either fastly or cloudflare. Customers who are currently using Cloudflare as their CDN can now enable an automatic rewrite of your HTML to change from polyfill[.]io over to one of the legitimate replacements; instructions for this can be found here: Automatically replacing polyfill[.]io links with Cloudflare’s mirror for a safer Internet. This feature is enabled by default for all free tier sites on Cloudflare, all other plans (Acquia Edge powered by Cloudflare is on the Enterprise tier) can enable the feature under Security ⇒ Settings, see below.

Step 2: If you do NOT find that polyfill[.]io is used: If polyfill[.]io is not in use for your application you do not need to take any further action as your application has not been impacted.