This week (25th June) security monitoring firms highlighted malware found in scripts loaded from cdn.polyfill.io, in particular polyfill.js, an open source library used to support JavaScript running in older browsers.
What did we do?
We immediately conducted a review of all of our products and found a single instance of a script loaded from cdn.polyfill.io. The affected product has been updated (the script has been removed) and the few clients who use it have been contacted directly. The product is not part of our standard site release build, so has not been widely deployed. If we didn't contact you, you aren't using the affected product.
What should I do?
If you have loaded any third party libraries from cdn.polyfill.io or the polyfill.io domain, remove them immediately. If you aren't sure, you can search in the forms designer for "polyfill.io". Third party scripts could be loaded using a helper.utilLoadScript() call, or directly in <script> tags. Polyfills typically support browsers pre IE11 (which was released in 2013) so there's rarely any need to use them.
Further reading
