[Security Alert]: Polyfill.io Issue for Google Maps Platform users in Angular

Question

My web app is in Angular and today I got a message from Google Cloud Platform, its mentioned a "Notification Title: [Security Alert]: Polyfill.io Issue for Google Maps Platform users". How can we resolve the issue? Angular has its builtin polyfills.ts which is mandatory and installs with the project by default.

A lot of users using the WordPress Google Map plugin report this issue. But, the same is occurring with my angular application. My project does not include any third party polyfills cdn for the map or so. I am using primeng's Gmap with Google's Map platform combined.

Here they say it, but I can't find polyfill.io to remove from my code.

What am I missing here? Is it with my project missing or outdated any library/packages? If so, which one?

Answer 1

Polyfill.io was owned by the Financial Times web team, then moved under community management, and the last maintainer sold the project to a strange Chinese CDN company, and they moved it away from Fastly (the CDN / Edge compute platform running the OSS code for the service) and started to mess with the returned files.

If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately

Google has become aware of a security issue that may be affecting websites using specific third-party libraries (including polyfill.io). This issue can sometimes redirect visitors away from the intended website without website owner knowledge or permission, or potentially cause other malicious behavior. Many of the Maps JavaScript API samples in the Developer Documentation previously included a polyfill.io script declaration.

The problem is your third-party Google Map library that is using Polyfill.io. Try for updates or replace it.

Answer 2

As far as I know polyfill.ts has no relation to polyfill.io.

It's a notice to warn users about the vulnerability and not directly pointing at your code that there is a problem.

For the safe side, Do a global search of your project including node_modules for the keyword polyfill.io; if you have it, identify the package and uninstall or check for a new version, if not ignore and proceed.

Just check if .gitignore has node_modules. If that is present, then you will not see the result in global search of vscode/maybe other editors also.