Should I be concerned that Recognize indirectly refers to JS from polyfill.io? (Supply-chain attack)

[Russtopia]

Grepping through my app installation of nextcloud, I see the following:

./nextcloud/apps/recognize/vendor/rubix/ml/mkdocs.yml:  - https://polyfill.io/v3/polyfill.min.js?features=es6
./nextcloud/apps/recognize/node_modules/isomorphic-fetch/README.md:- Using [node-fetch](https://github.com/node-fetch/node-fetch) and the [Fetch polyfill](https://github.com/github/fetch) directly (or from [polyfill.io](https://polyfill.io), or relying on [the browser's implementation of the Fetch API](https://caniuse.com/fetch)).
./nextcloud/apps/mail/vendor/rubix/ml/mkdocs.yml:  - https://polyfill.io/v3/polyfill.min.js?features=es6

Apparently polyfill.io's domain changed ownership, and the new owners are injecting malware to anyone importing their repos.

I have absolutely no expertise in JS, nor how Nextcloud apps may or may not depend on JS. Is this a potential attack vector on the Recognize app or Nextcloud in general?

[marcelklehr]

Thank you for raising this issue. Luckily this is not an attack vector on the recognize app or Nextcloud in general. The mentioned polyfill.io URL is only part of the build script for the documentation of a dependency of recognize.

[Russtopia]

Whew! Thank you for the response.