Dependency on compromised polyfill.js CDN via albertcht/invisible-recaptcha

[phizev]

As reported in the media, the original polyfill.js CDN has been serving malware. While this Craft plugin does not directly have a dependency on poilyfill.js, a dependency of it does, namely albertcht/invisible-recaptcha.

I've filed a PR albertcht/invisible-recaptcha#173, and opened an issue albertcht/invisible-recaptcha#174 with the downstream project.

Unfortunately the project does not seem to be actively maintained, and has not had any PR's merged since 2022.

I'm not sure on the best path to resolving this issue, though the quickest might be to switch to a fork of albertcht/invisible-recaptcha with the polyfill.js either removed, or updated to an alternative.

[khalwat]

Thankfully, namecheap has revoked the DNS so this issue is less dire than it was initially:

Update June 27th: Cloudflare has implemented real-time rewrites of cdn.polyfill.io to their own version. A little later, Namecheap has put the domain on hold altogether, which eliminates the risk for now. However, you are still recommended to remove any polyfill.io references in your code.

https://sansec.io/research/polyfill-supply-chain-attack