This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

News

Polyfill Security Notice

A change in an upstream JavaScript library may break the functionality of some sites.

Summary

YMCA Website Services relies on some external code to provide broad browser support to JavaScript applications (like Virtual Y, Activity Finder, and Group Schedules). One of those codebases recently changed owners, which resulted in sporadic failures.

Users can incorporate the use Fastly polyfill patch for the openy_custom module as soon as possible to mitigate the issue.

What is the problem?

Polyfill is a service that makes web development less frustrating by selectively polyfilling just what the browser needs.

In late February 2024, some YMCA websites reported sporadic outages in their Virtual Y applications. After some investigation, the core team discovered the outages were the result of the Polyfill library not being available, which temporarily caused Virtual Y not to load.

A full discussion of the problem can be found on:

How bad is it?

While the change could theoretically be exploited to inject malicious code, there is no known risk of data loss or the ability for third parties to compromise sites.

The only known impact is the sporadic loss of functionality of some pieces of YMCA sites.

Using the Drupal Security Risk Calculator this risk has been assessed as 8/25 (Less Critical) AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:Default.

Here’s what that means:

  • Access complexity: It is a complex/unintuitive process for an attacker to leverage the vulnerability.
  • Authentication: No authentication is needed for an exploit to be successful.
  • Confidentiality Impact: The vulnerability does not cause non-public data to become accessible.
  • Integrity Impact: The vulnerability can not allow system data to be compromised.
  • Zero-day Impact: An documented exploit does exist in the wild.
  • Target Distribution: Default module configurations are exploitable, but a config change can disable the exploit.

What do we do?

Fastly (a trusted CDN provider) has taken a snapshot of the code before it was sold and is hosting it independently.

Please ask your agency partners to incorporate the use Fastly polyfill patch for the openy_custom module as soon as possible. For those with Virtual Y websites hosted with YMCA’s Cloud Hosting Service, the team will roll out the patch for you and there is no action needed on your part.

Activity Finder Security Notice

Trusted hosts settings are now required for sites that use Activity Finder.

Summary

Activity Finder could provide an attack vector where a malicious site could use the “trusted” YMCA domain to redirect users to an untrusted site.

Sites using Activity Finder should immediately ensure they have activity_finder_trusted_redirect_host_patterns configured in settings.php as per the documentation and update to the latest release of Activity Finder.

What is the problem?

Activity Finder provides a method for sites to redirect users to register for activities. The method passes a URL in a query string, like exampleymca.org/af/register-redirect/1234?url=https://exampleactivities.com....

Activity Finder provides a method to only allow trusted hosts to be redirected, but if no trusted host is configured then any host was previously allowed through.

This could provide an attack vector where a malicious site could use the “trusted” YMCA domain to redirect users to an untrusted site, like exampleymca.org/af/register-redirect/1234?url=https://examplephishers.net.

How bad is it?

Using the Drupal Security Risk Calculator this risk has been assessed as 12/25 (Moderately Critical): AC:Basic/A:None/CI:None/II:None/E:Exploit/TD:Default.

Here’s what that means:

  • Access complexity: It is trivial for an attacker to leverage the vulnerability.
  • Authentication: No authentication is needed for an exploit to be successful.
  • Confidentiality Impact: The vulnerability does not cause non-public data to become accessible.
  • Integrity Impact: The vulnerability can not allow system data to be compromised.
  • Zero-day Impact: An documented exploit does exist in the wild.
  • Target Distribution: Default module configurations are exploitable, but a config change can disable the exploit.

What do we do?

There are two mitigations, available to you to use immediately:

  1. If your site is actively using Activity Finder, you should immediately ensure your site has the activity_finder_trusted_redirect_host_patternsconfigured in settings.php as per the documentation. After deploying this change and clearing caches, your site will be secure. If you do not make this change, your Activity Finder links may stop redirecting on your next code update.
  2. If your site is not actively using Activity Finder, update to the latest release of Activity Finder or include this patch to enforce the security of your site, as the Activity Finder code could still be active even though it’s not being used.

Layout Builder Roadmap

Our product plan for 2023

Skip to: v1 | v2 | v3

Layout Builder v1

Released in 9.2.12, December 2022

Page components

Accordions
Expandable pairs of question/answer or header/section fields.
Maps to paragraphs: accordion_section, faq, ymca_accordion
Cards (Horizontal & Vertical)
Flexible cards style components.
Carousels
A full-width display with multiple sets of a header, description, and call to action overlaid on an image
Grid CTA Content
Sets of headline, description, and link displayed in n-item wide rows. Sometimes icons or images are added
Hero Banners
A full-width, almost full-height display with a header, description, and call to action overlaid on an image
Ping Pong Blocks
Usually paired, sets of media, header, description, and call to action arranged horizontally
Promo Cards (sidebar only)
A title, headline, description, and link that usually display in the sidebar
Statistics
Infographic-like display to highlight relevant stats
Tabs
Allows users to switch page views by selecting tabs across the top of the page instead of having to navigate to a new page.
Simple Content (w/ responsive tables)
Allows for the management of responsive tables within a page.
Webforms
Basic webform that can be embedded within a page.

Menu / Navigation

Simple Menu (sidebar only)
A simple 1-level sidebar menu that can display in either the right or left sidebar area.

Layout Builder v2

Planned for release 9.2.13, March 2023.

Content types

Articles (News / Blog / Press Release)
Ability to include Layout Builder components in Article pages; combining existing like-content types into a single CT.
Events
Ability to include Layout Builder components in Event pages.
Branch
Ability to include Layout Builder components in Branch pages.

Menu / Navigation

Breadcrumbs
Secondary navigation that allows users to understand where they are located within a site.
Branch Menu (microsite menu)
Sub-menu that displays within a branch page (and sub-pages) that allows users to drill down to additional content specific to that branch.

Page components

Modals
Modals can be triggered on page load or when a button is clicked (i.e. confirmation screen).
Testimonials
Display of short testimonials or quotes from Y members
Partners / Sponsors
Displays logos / info of partners or sponsors
Staff Members
Displays simple staff member info cards with image, name, title
Related Articles
Component for displaying related articles within an article node page and within other pages using layout builder.
Related Events
Component for displaying related events within an event node page and within other pages using layout builder.
Branch Hours
Banner display individual branch hours and other branch-related info
Branch Amenities
All Amenities available at an individual branch.

There is a version of branch amenities that includes open vs closed amenities. For this version, going ot keep it simple and only implement the version that displays available/open amenities. Will come back to the one that lists open vs closed (see Middle Tennessee).

Branch Social Links
Should we include an area for social sharing links on individual branch / location pages in v2 or v3?

Layout Builder v3

Planned for June 2023.

Content Types

Camp
Content type for camp locations. Allows for flexibility to include Layout Builder components in the Camp CT pages. Additional items to consider including within the Camp CT template are: Pricing Charts, Schedules (see links for Camp Hanes)
Facility
Flexible CT for other location types, such as Child Cares. Allows for ability to include layout builder components in Facility CT pages.
Alerts
Ensure Alerts are working with the Layout Builder landing page content type, and other content types that might use alerts (Branches, Camps, etc)

Custom Pages / Applications

Locations Page
Ability to include Layout Builder components into the Location finder page, below the locations listing.
Membership Calculator
Ability to include Layout Builder components within the Membership Calculator landing pages
Virtual Y
Ability to include Layout Builder components into VirtualY pages
Activity Finder
Ability to include Layout Builder components within pages that display Activity Finder content

Menu / Navigation

Global Header
Global header elements
Global Footer
Global footer elements
Utility Menu
Utility menu links
Mega Menu
Multi-level interactive menu (up to 3 levels)
Home / Preferred Branch
Allow for users to select a single branch location as their home / preferred branch via a modal that displays on the associations’ home page when the user first arrives on the site. Selecting a home branch will have a link to the Branch display in the user’s utility menu for easier access to the Branch page(s). Users can also select their home / preferred branch by checking the “My Home Branch” checkbox once on a Branch page. They can also deselect a Branch as their home Branch, and can click on the “Change” link to select another location from a modal.
Camp Menu
Menu for camp-specific pages; similar to Branch menu, but allows for 2 levels instead of a single level.
Camp Quick Links
Additional menu for camps that will allow for the placement of up to 6 additional links in addition to the camp menu

Page Components

Event Views & Filters
Views & filters for event listings that allow users to sort events by location and search by keyword.
Article Views & Filters
Views & filters for article listings that allow users to sort articles by location and topic tag, and search by keyword.
Location Amenities Filter (sidebar filter)
Amenities filter on Location finder page where users can select one or more amenities and have the location results display locations where those amenities are available. Amenities can be placed into categories, and those categories can be related to location content types (Branches, Camps, Facilities)
Camp Video Banner
Hero banner that displays an auto-playing video in desktop views, and a video on-click in mobile views.
Code Block
Need to move the Code Block into a Layout Builder component.