[Security Alert]: Polyfill.io Issue for Google Maps Platform users in Angular

Asked 1/7, 2024 at 8:56 Answered 2/7, 2024 at 1:12

My web app is in Angular and today I got a message from Google Cloud Platform, its mentioned a "Notification Title: [Security Alert]: Polyfill.io Issue for Google Maps Platform users". How can we resolve the issue? Angular has its builtin polyfills.ts which is mandatory and installs with the project by default.

A lot of users using the WordPress Google Map plugin report this issue. But, the same is occurring with my angular application. My project does not include any third party polyfills cdn for the map or so. I am using primeng's Gmap with Google's Map platform combined.

Here they say it, but I can't find polyfill.io to remove from my code.

What am I missing here? Is it with my project missing or outdated any library/packages? If so, which one?

Chavers answered 1/7, 2024 at 8:56 Comment(0)

Polyfill.io was owned by the Financial Times web team, then moved under community management, and the last maintainer sold the project to a strange Chinese CDN company, and they moved it away from Fastly (the CDN / Edge compute platform running the OSS code for the service) and started to mess with the returned files.

If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately

Google has become aware of a security issue that may be affecting websites using specific third-party libraries (including polyfill.io). This issue can sometimes redirect visitors away from the intended website without website owner knowledge or permission, or potentially cause other malicious behavior. Many of the Maps JavaScript API samples in the Developer Documentation previously included a polyfill.io script declaration.

The problem is your third-party Google Map library that is using Polyfill.io. Try for updates or replace it.

Delegacy answered 1/7, 2024 at 9:14 Comment(2)

but how can I get to know the which specific library I am using is using any instance of polyfill.io under the hood. All I can do is search for polyfill.io globally in my project which I am doing now and getting not a single result for it. – Chavers 1/7, 2024 at 9:21

Try the one for Google Maps. – Delegacy 1/7, 2024 at 9:22

As far as I know polyfill.ts has no relation to polyfill.io.

It's a notice to warn users about the vulnerability and not directly pointing at your code that there is a problem.

For the safe side, Do a global search of your project including node_modules for the keyword polyfill.io; if you have it, identify the package and uninstall or check for a new version, if not ignore and proceed.

Just check if .gitignore has node_modules. If that is present, then you will not see the result in global search of vscode/maybe other editors also.

Maricela answered 1/7, 2024 at 9:14 Comment(7)

exactly polyfill.ts and polyfill.io both are not relatable to each other. Also, i did the global search for polyfill.io in my whole project and did not find a single search for it. – Chavers 1/7, 2024 at 9:17

@Chavers Just check if .gitignore has node_modules. If that is present, then you will not see the result in global search of vscode! – Maricela 1/7, 2024 at 9:18

I am using webstorm and not vscode. In webstorm i need to do the same? – Chavers 1/7, 2024 at 9:22

@Chavers I think so, not sure though – Maricela 1/7, 2024 at 9:23

I have tried by removing the node_modules and recompiling the code. Still same output. – Chavers 1/7, 2024 at 9:26

@Chavers I just was talking about search, if there are no results, I think its ok – Maricela 1/7, 2024 at 9:27

Something else you can do is open your site in a browser on a page containing a map, with the Developer Tools panel open. Go to the Network tab, make sure "All" types of file are selected and then search/scan for polyfill.io in the list of requests. (Though you should still search your sourcecode too.) – Passing 9/8, 2024 at 11:36

This can also come from Google Maps API samples. Google maps samples used polyfill.io references and they removed it from their side now.

If you are using those samples in your repo, removing them should fix the issue. If you are not using code samples, then you can ignore this warning if it's come from google maps libs.

You can find the more details in this googlemaps issue and here's the fix MR from their side - https://github.com/googlemaps/js-samples/pull/1675/files

Neman answered 2/7, 2024 at 1:12 Comment(0)

Recommended topics

Hot tags