chrisphan.com

IMPORTANT message for MathJax users

An analog clock reading 10:202024-06-25 / 2024-W26-2T22:20:00-05:00 / 0x667b88e0

Categories: programming, math

If you have ever used MathJax (an awesome tool that makes it easy to display mathematics on your website), you may have copied the following into your HTML, following the directions on their website:

HTML
<script src="https://polyfill.io/v3/polyfill.min.js?features=es6"></script>
<script id="MathJax-script" async src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"></script>

If you did that, you are going to want to delete that first line immediately. This loads a piece of JavaScript from the domain polyfill.io, and as Simon Willison put it

if you are loading assets from the cdn.polyfill.io domain you need to remove that right now: the new owners of the domain (as of a few months ago) appear to be using it to serve malicious JavaScript.

(Yes, the code from the MathJax site loads polyfill.min.js from polyfill.io, not cdn.polyfill.io, but the warning still applies.)

Willison further explains that the purpose of the polyfill.io service

was to serve up a set of JavaScript polyfills - pieces of code that implemented missing web platform features for older browsers - dynamically, based on the incoming user-agent. This required a CDN that varied its output dynamically based on the user-agent, hence the popularity of the single hosted service.

Andrew Betts, the original author of the service, has been warning people to move off it since February 20[2]4 [...]

He now works for Fastly, which started offering a free polyfill-fastly.io alternative in February. Andrew says you probably don't need that either, given that modern browsers have much better compatibility than when the service was first introduced over a decade ago.

I use MathJax a lot on this site, which allows me to show mathematical content such as \[\int_{-1}^1 \sqrt{1 - x^2}\; dx\] or \[\mu: V^{\otimes j} \otimes V^{\otimes k} \rightarrow V^{\otimes (k + j)}.\]

Every page with MathJax content on this site (and there are quite a few) contained the two lines of HTML displayed at the start of this post. I removed the first line (without specifying an alternative) and everything seems to be working fine.