⚠️ Action required: remove polyfill.io in extra_javascript

[FutureMatt]

Important

TL;DR: make sure to remove any script referenced in extra_javascript that points to polyfill.io:

  extra_javascript:
    - javascripts/mathjax.js
-   - https://polyfill.io/v3/polyfill.min.js?features=es6
    - https://unpkg.com/mathjax@3/es5/tex-mml-chtml.js

Added by @squidfunk

---

Context

No response

Description

Polyfill.io was bought by a Chinese company earlier this year and has since then gone on to inject malicious code into the polyfill code it delivers.

Polyfill.io should be removed where possible, if not Fastly and Cloudflare have set up mirrors of safe code.

Related links

• [Polyfill supply chain attack hits 100K+ sites] (https://sansec.io/research/polyfill-supply-chain-attack)
• Polyfill.io JavaScript supply chain attack impacts over 100K sites

Use Cases

This'll affect all users of the project.

Visuals

No response

Before submitting

• I have read and followed the change request guidelines.
• I have verified that my idea is a change request and not a bug report.
• I have ensured that, to the best of my knowledge, my idea will benefit the entire community.
• I have included relevant links to the documentation, related issues, and discussions to underline the need for my idea.

[FutureMatt]

I'm going to close this actually, as looking again, I think this is restricted to your examples in your documentation. However I'd recommend updating the documentation to not reference it.

[alexvoss]

Thanks for drawing attention to this. I do think we should address this, so am reopening it and will assign to myself. @squidfunk can override this if he wants. Am about to call it a day but can do a PR tomorrow first thing to address this.

IMHO, we should draw this to the attention of users, too. People using MathJAX might be affected if they have copied the suggested bit of configuration. Here, polyfill.io is needed only for IE11 compatibility, which I think few people will really need? We could conceivably just take out the mention of polyfill or refer to the MathJAX documentation so we don't have to figure out what the appropriate alternative is?

[squidfunk]

Thanks for reporting! Yes, we should definitely remove the references to poylfill.io. Note that we copied those from MathJax installation instructions some time ago. Nowadays, all browsers that we support should support the entirety of ES6 (or ES2015), so I'd consider it safe to remove it. I'll make the changes asap.

[squidfunk]

Fixed in 12a8e82. Since we don't have a channel to communicate this change, and we didn't include polyfill.io in our own sources (it's customization-only), I'm not sure where and how we can reach users to notify them about the recommended removal. Any ideas? Other than that, this issue can be considered resolved.

[alexvoss]

Candidates: mention in changelog, pin a discussion item. I will also let the good people at MathJax know and we can add the link to the issue there. I think it is less about effective communication, which we lack the channel for, than about doing our bit and spreading the word. Edit: mathjax/MathJax#3247

[kamilkrzyskow]

Since mkdocs-material has its own implementation of the search plugin, which is typically enabled for most users, I always thought it would be a good candidate to break the SOLID coding approach, and add a bunch of stuff there like validation of theme.features or in this case validation of extra_javascript. 😅

I'm just not sure if this issue is really that serious to warrant breaking convention, kind of doubt that tbh.

[squidfunk]

We currently have no impending release, as there are no changes yet, but I reopen this and pin it, so that users see it and we can add it to our release notes as an actionable item 🤟

Since mkdocs-material has its own implementation of the search plugin, which is typically enabled for most users, I always thought it would be a good candidate to break the SOLID coding approach, and add a bunch of stuff there like validation of theme.features or in this case validation of extra_javascript. 😅

Very valid idea. I've stopped counting how often I've hit the case where it would've been the easiest way for Material for MkDocs to add a few lines of Python to properly configure or validate or whatever do with MkDocs, but you know, it's "just a theme" with some optional plugins and MkDocs doesn't allow themes to execute logic. We might raise this to Tom, since he announced he'll be taking on maintainership to work on the next iteration of MkDocs, but I'm afraid he's heading in a different direction, so there's probably little hope of getting a theme entrypoint into the internals of MkDocs:

２ Templating over code.
Safe rendering, avoid Python knowledge as a dependancy.

Again, I'm taking this back to the drawing board. We need a solution for this. It's too important.

[vbd]

In my site folder rg -l polyfill returned:

assets\javascripts\workers\search.b8dbb3d2.min.js.map
assets\javascripts\bundle.5cfa9459.min.js.map
assets\javascripts\bundle.5cfa9459.min.js

I checked my mkdocs.yml for any MathJax occurences but didn't find anything.
What should I do at the moment?

[squidfunk]

There's no problem with files that are bundled with the theme. You only have to check and make sure that you do not reference any file hosted on polyfill.io as part of extra_javascript.

[squidfunk]

I've updated the original post with a TL;DR.

[vbd]

Thank you for the clarification.

[charliebritton]

The registrar have now taken the polyfill.io domain down, so there should be no immediate threats to sites for anyone who might be panicking about this, at least in the short term.

[squidfunk]

Perfect, thanks for noting! We can consider this issue resolved then.