RESOLVED! :) Why is the community site calling a known malware js actor?

Jump to solution
Mikee
Community Participant

Pollyfill.io is a known malware vector and the domain was delisted by their host in February.

The community landing page calls polyfill.io's libraries, here's a cloudflare article on why that's a bad idea: https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-...

 

Screenshot 2024-07-16 at 2.28.46 PM.png

This is causing a full page load delay on safari and other browsers - here's a sample from Safari showing the 10 minute load time for the community page - and the offending JS is listed below

 

 

 

 

Summary
URL: https://polyfill.io/v3/polyfill.min.js?features=es6
Status: —
Source: —
Initiator:
community.canvaslms.com:9

Request
Accept: */*
Referer: https://community.canvaslms.com/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15

Response

Query String Parameters
features: es6

1 Solution
nathanatkinson
Community Team
Community Team

Thanks all for bringing this to our attention. We've worked with our platform provider support to remove this script. It's no longer present in the Community, so should no longer be causing any slowness or security concerns. Currently, we don't believe it was a necessary library anymore, but we'll be monitoring our custom components over the coming weeks to ensure no functionality has been impacted.

View solution in original post