From what I can see based on a Google search of “SMW-INJ-27295-js.spam-5”, a number of people have posted in the last couple of days from various platforms that ImunifyAV has reported this. As far as I am aware, there is no issue in the script distributed with Photonic. You can verify the original source code of the file too from here. You might want to compare your local file with this one.
Here’s what I would suggest:
- First do the file comparison between the files line-by-line as per my suggestion. If the files are same, then let me know, and I will have to investigate. WP plugins go through a level of security scans, but it is possible that their scans don’t catch all issues.
- If the files are different, it means that something has modified your file. This could well be due to a vulnerability in a different plugin. Generally, a compromised plugin will add malware in quite a few other places to misdirect.
- It is also possible that the bug is in ImunifyAV, and that they are performing mistaken identifications. I say this based on the multiple reports from other platforms (including Joomla) reporting this.
Regarding the issue about polyfill.io, you can also see here, where I responded to a question from someone about 3 months back. Polyfill’s CDN was compromised, but Photonic never referenced that script from the CDN, rather it had a much smaller list of polyfills, mostly from a number of places (primarily Mozilla’s MDN).
Just as a precaution, I have removed the file – it was anyway needed for IE versions 11 and lower, which are all deprecated. If you fetch version 3.11, you shouldn’t see any issue.
However, I would suggest some scrutiny of the ImunifyAV plugin and its output. Points #2 and #3 from my previous post will still apply, specifically since there was no bad code in the Polyfill file. So, you either have another vulnerable plugin, or there is a bug in the ImunifyAV plugin.