Blog

Security public service announcements: 3rd Party Libraries and Supply Chains – PSA-2024-06-26

Date: 
2024-June-26
Description: 

Following on from previous PSAs on 3rd Party code in the Drupal ecosystem:

It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of 3rd party libraries.

Supply chains are increasingly complex, and managing the associated risks is challenging. Website owners should actively manage their dependencies, potentially leveraging a Software Bill of Materials (SBOM) or scanner services. Other relevant tools include CSP and SRI.

Concerns around polyfill.io

The most recent case that has affected some contributed Drupal projects relates to the polyfill.io service.

Recently, a new organization acquired and updated the polyfill.io service. The new service appears to be serving malicious content from the polyfill.io endpoints under specific circumstances.

In response to these concerns, several trusted providers of Javascript libraries are now also serving replacements for the polyfill.io service. Website owners should update their site to incorporate a newer, more reliable source for the polyfill.io files.

On the other hand, the polyfills may no longer be necessary in many cases, and it may be possible to remove them from sites rather than rely on a new source.

Multiple Drupal projects utilize this service in various ways; several of which require code changes and new releases to switch to alternative providers. As this relates to 3rd party libraries, the Drupal Security Team will not be issuing Security Advisories for these projects and work has been done in the public issue queues (note this may not be a complete list of all affected projects).

There have been significant changes in the way that 3rd party code is utilized in the Drupal ecosystem since PSA-2011-002 linked to above, but the remit of the Drupal Security Team remains limited to code hosted on drupal.org’s systems.

Reported By: 
Coordinated By: