phpgoogle-mapsphpmailerphpdotenv

Polyfill warning from Google; PHPMailer and PHP dotenv affected


I got a warning from Google saying that my website is using Polyfill framework on Google Maps: "Notification Title: [Security Alert]: Polyfill.io Issue for Google Maps Platform users". It advised users to remove Polyfill.io, see link: https://www.kaspersky.com/blog/polyfill-io-service-supply-chain-attacks/51635/

After looking though my codebase(s) I have found other places where the Polyfill framework is used, like PHPMailer (https://github.com/PHPMailer/PHPMailer, click on the composer.json file) and PHP dotenv (https://github.com/vlucas/phpdotenv, click on the composer.json file).

Here is more information on why it's advised to remove Polyfill, see link: https://github.com/formatjs/formatjs/issues/4363

I contacted the team at PHP dotenv just now, and so I'm still awaiting a response. I may have found a good replacement simply called dotenv, see link: https://github.com/symfony/dotenv. I cannot swear by this solution as I haven't had the opportunity to try it yet.

The problem is I haven't found a good alternative to PHPMailer.

Is anyone else facing the same problem? Any solutions yet?

PS: Just how severe is this? To put it short, it seems my visitors can be directed to shady betting websites and/or give up data unwaveringly, right...?

EDIT: I'm sorry if I scared any other newbies on PHP out there. Here is another Stack Overflow answer regarding this issue: [Security Alert]: Polyfill.io Issue for Google Maps Platform users in Angular

Please see Arthur Boucher's answer below!


Solution

  • There seems to be some confusion between the website polyfill.io and the concept of a polyfill. A polyfill is simply a library that adds backwards-compatibility to modern language or library features. The polyfills used in the PHP libraries you're linking to aren't provided by polyfill.io, and thus aren't affected by the issue.