Does polyfills chain attack and polyfills in angular related?

Question

0.00/5 (No votes)

See more:

I have projects in Angular 14 and 15, and vue project. There is security warning on Polyfills chain attack.
I want to know if this attack is related to angular's file polyfills.ts and does the angulars 14 to 15 and vue is safe?

What I have tried:

Remove Polyfill.io code from your website immediately • The Register[^]

Posted 7-Jul-24 23:03pm

Member 15992206

Updated 7-Jul-24 23:29pm

Add a Solution

2 solutions

Solution 1

"If you are using polyfill code in any application, you should stop and remove it urgently" seems to be the message coming from all sorts of security companies.

That applies to all versions of Angular as far as I can see: if you use it, get rid of it (but take a backup first in case it may be safe to go back to it at some point in the future).

Posted 7-Jul-24 23:32pm

OriginalGriff

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Pete O'Hanlon · Accepted Answer · 2024-07-08T00:16:00

By default, yes, your Angular code is using the polyfill repository. It doesn't necessarily mean your code is affected, as this attack is only related to versions of polyfill that were posted to npm/yarn/(insert packagemanager of choice here) after the takeover of the package. This doesn't retrospectively change earlier versions.