Polyfill Security Notice

Summary

YMCA Website Services relies on external code to provide broad browser support to JavaScript applications (like Virtual Y, Activity Finder, and Group Schedules). One of those codebases recently changed ownership, which resulted in sporadic failures.

Users can incorporate the use Fastly polyfill patch for the openy_custom module as soon as possible to mitigate the issue. This patch updates the polyfill service URL to one hosted by Fastly, a trusted CDN provider.

What is the problem?

Polyfill is a service that makes web development less frustrating by selectively polyfilling just what the browser needs. It provides modern JavaScript features to older browsers that don’t natively support them.

In late February 2024, some YMCA websites reported sporadic outages in their Virtual Y applications. After investigation, the core team discovered the outages resulted from the Polyfill library being unavailable, which temporarily prevented Virtual Y from loading. The root cause was a change in ownership of the polyfill.io service, leading to concerns about its reliability and potential security implications.

A full discussion of the problem can be found on:

• Is it true that polyfill.io hosting is going to be owned by a Chinese company? (GitHub)
• no-version scenario changed, maybe?
• Pollykill.io

How bad is it?

While the change could theoretically be exploited to inject malicious code, there is no known risk of data loss or the ability for third parties to compromise sites. The primary concern is service disruption rather than direct compromise.

The only known impact is the sporadic loss of functionality of some YMCA sites.

Using the Drupal Security Risk Calculator this risk has been assessed as 8/25 (Less Critical) AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:Default.

Here’s what that means:

• Access complexity: It is a complex/unintuitive process for an attacker to leverage the vulnerability.
• Authentication: No authentication is needed for an exploit to be successful.
• Confidentiality Impact: The vulnerability does not cause non-public data to become accessible.
• Integrity Impact: The vulnerability can not allow system data to be compromised.
• Zero-day Impact: An documented exploit does exist in the wild.
• Target Distribution: Default module configurations are exploitable, but a config change can disable the exploit.

What do we do?

Fastly (a trusted CDN provider) has taken a snapshot of the code before it was sold and is hosting it independently. This provides a stable and reliable alternative to the potentially compromised polyfill.io service.

Please ask your agency partners to incorporate the use Fastly polyfill patch for the openy_custom module as soon as possible. For those with Virtual Y websites hosted with YMCA’s Cloud Hosting Service, the team will roll out the patch for you; no action is needed on your part. This patch modifies the openy_custom module to use the Fastly-hosted polyfill service.

• ←Previous
• Next→