I am the administrator of a website and monthly vulnerability scans are performed. In this case, a level 3 vulnerability was detected concerning Polyfill. The scan report states the following:

Threat

The polyfill.js is a popular open-source library to support older browsers. Thousands of sites embed it using the cdn.polyfill.io domain. In February 2024, a Chinese company (Funnull) bought the domain and the associated Github account. The company has modified the Polyfill.js script to introduce malicious code into websites. Any script adopted from cdn.polyfill.io would immediately be downloading malicious code from the Chinese company’s site.

QID Detection Logic (Unauthenticated):
This QID checks if the target is using the js file.

Impact
Presence of this JavaScript allows attackers to embed malicious JavaScript into the users’ websites, allowing them to steal sensitive data, redirect users to malicious websites, and possibly execute code.

Solution
Given that modern browsers do not require Polyfill, the original polyfill author recommends not using Polyfill at all. Recommended alternatives are CDNs such as Cloudflare and Fastly.

I have reviewed the dependencies, and several polyfill dependencies appear in the package.lock.json. I need to find a way to ensure this vulnerability no longer appears. Thank you very much.

Frontend code
Backend code