Polyfill Security Notice

A change in an upstream JavaScript library may break the functionality of some sites.

Summary

YMCA Website Services relies on some external code to provide broad browser support to JavaScript applications (like Virtual Y, Activity Finder, and Group Schedules). One of those codebases recently changed owners, which resulted in sporadic failures.

Users can incorporate the use Fastly polyfill patch for the openy_custom module as soon as possible to mitigate the issue.

What is the problem?

Polyfill is a service that makes web development less frustrating by selectively polyfilling just what the browser needs.

In late February 2024, some YMCA websites reported sporadic outages in their Virtual Y applications. After some investigation, the core team discovered the outages were the result of the Polyfill library not being available, which temporarily caused Virtual Y not to load.

A full discussion of the problem can be found on:

How bad is it?

While the change could theoretically be exploited to inject malicious code, there is no known risk of data loss or the ability for third parties to compromise sites.

The only known impact is the sporadic loss of functionality of some pieces of YMCA sites.

Using the Drupal Security Risk Calculator this risk has been assessed as 8/25 (Less Critical) AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:Default.

Here’s what that means:

  • Access complexity: It is a complex/unintuitive process for an attacker to leverage the vulnerability.
  • Authentication: No authentication is needed for an exploit to be successful.
  • Confidentiality Impact: The vulnerability does not cause non-public data to become accessible.
  • Integrity Impact: The vulnerability can not allow system data to be compromised.
  • Zero-day Impact: An documented exploit does exist in the wild.
  • Target Distribution: Default module configurations are exploitable, but a config change can disable the exploit.

What do we do?

Fastly (a trusted CDN provider) has taken a snapshot of the code before it was sold and is hosting it independently.

Please ask your agency partners to incorporate the use Fastly polyfill patch for the openy_custom module as soon as possible. For those with Virtual Y websites hosted with YMCA’s Cloud Hosting Service, the team will roll out the patch for you and there is no action needed on your part.