A supply-chain attack in the CDN for the 3rd-party Polyfill.js library was announced today, affecting 100k sites globally. This library enables certain functionality in older, unsupported browsers and is not part of the WPVIP platform or WordPress. This code would only exist on your site if it has been explicitly included in your theme or plugins.
This supply-chain attack was first reported by Sansec here.
All impacted VIP customers have been notified individually.
What actions should I take?
You can search for polyfill.io in your repo(s) and remove the related code if it is no longer needed, or switch to a trusted mirror provided by Fastly or Cloudflare. Please see the below announcements regarding the mirrors provided by those services:
https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk
What does this mean for my site(s)?
Removing or replacing the related code should not impact your site’s usability for most users. According to the original author of the Polyfill.io library, it is no longer needed by modern browsers, so in most cases, you can safely remove it.
WPVIP has deployed a platform-level mitigation for customers using the core WordPress enqueue scripts APIs. This disables loading of scripts from polyfill.io and cdn.polyfill.io on those sites. WPVIP urges all customers to review their usage of Polyfill.js from the polyfill.io service and remove it or switch to a trusted mirror as outlined above.