Security issue with JavaScript library "polyfill.js"

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 29.0.5): 28.0.4.1
Operating system and version (eg, Ubuntu 24.04): ubuntu

The issue you are facing:
A supplier chain cyberattack against Polyfill.io occurred on 25th June (2024). >100,000 websites which use the Polyfill.io domain as part of their web browsing code have been compromised.

Questions:

  • Are there Polyfill dependencies embedded in NextCloud. Specifically, does NextClou reference polyfill.io as a CDN to serve PolyFill JavaScript libraries?

No, Nextcloud does not use any CDN services at all and thus can not be affected by this attack.