From 3d594c9e59c0ea2fc3220a0a64cc9a04885b54e8 Mon Sep 17 00:00:00 2001
From: Gianpaolo <gianpaolosinatra@gmail.com>
Date: Mon, 9 Mar 2026 18:13:21 +0100
Subject: [PATCH] security: remove polyfill.io script tag from
 public/index.html
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The polyfill.io domain was compromised in 2024 and used to inject
malicious JavaScript via CDN responses. All loaded features (replaceAll,
IntersectionObserver, map, reduce) are natively supported by all modern
browsers — no alternative needed.
---
 public/index.html | 1 -
 1 file changed, 1 deletion(-)

diff --git a/public/index.html b/public/index.html
index dbc83bc4..95edfb1c 100644
--- a/public/index.html
+++ b/public/index.html
@@ -79,7 +79,6 @@
       type="text/css"
       media="all"
     />
-    <script src="https://polyfill.io/v3/polyfill.min.js?features=String.prototype.replaceAll%2CIntersectionObserver%2CArray.prototype.map%2CArray.prototype.reduce"></script>
     <script
       type="text/javascript"
       src="https://maps.googleapis.com/maps/api/js?key=AIzaSyDy8e6_8uv8JnNZFRXng6HfbhnhvobWyac&libraries=places"