Polyfill.io vulnerability

[billsanto]

Our security team detected the presence of polyfill in the application and it is rated as a high risk vulnerability. Is it possible to disable this, pending an update?

https://thehackernews.com/2024/06/over-110000-websites-affected-by.html

Invicti Enterprise identified the usage of Pollyfill in the target web server’s HTTP response.
Polyfill.io, a widely used JavaScript library, was compromised following its acquisition by Funnull, a China-based CDN company. Malicious code was injected into the library, redirecting users to harmful websites.
Impact
Affected Users:
Over 110,000 websites Nature of Malicious Activity:
Redirecting users to sports betting and pornographic sites. Specific activation on certain mobile devices at particular times. Delayed execution to evade web analytics detection. Avoidance of activation when an admin user is detected.

[chrisknoll]

I would be fine with this. There was an idea to apply babel to our build pipeline, but I think it can bloat our code by introducing polyfills that are not necessary in modern browsers.

We need someone familiar with the build chain to extract babel/polyfil from the build chain.