From dec907fd8168f46b82a49a8fce3725578cf7a18b Mon Sep 17 00:00:00 2001 From: CharlesRN <125233614+CharlesRN@users.noreply.github.com> Date: Wed, 26 Jun 2024 12:23:10 +0800 Subject: [PATCH] JavaScript Polyfill Supply Chain Attack (#824) * Updated this advisory with product affected version * Format markdown docs * JavaScript Polyfill Supply Chain Attack * Format markdown docs --------- Co-authored-by: CharlesRN Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> --- ...op-Mark-of-the-Web-Bypass-Vulnerability.md | 6 ++--- ...JavaScript-Polyfill-Supply-Chain-Attack.md | 23 +++++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 docs/advisories/20240626004-JavaScript-Polyfill-Supply-Chain-Attack.md diff --git a/docs/advisories/20240617002-Dropbox-Desktop-Mark-of-the-Web-Bypass-Vulnerability.md b/docs/advisories/20240617002-Dropbox-Desktop-Mark-of-the-Web-Bypass-Vulnerability.md index 83340e3f..31f865ca 100644 --- a/docs/advisories/20240617002-Dropbox-Desktop-Mark-of-the-Web-Bypass-Vulnerability.md +++ b/docs/advisories/20240617002-Dropbox-Desktop-Mark-of-the-Web-Bypass-Vulnerability.md @@ -6,9 +6,9 @@ This vulnerability allows remote attackers to bypass the Mark-of-the-Web protect ## What is vulnerable? -| Products Affected. | CVE | CVSS | Severity | -| ---------------------------------- | --------------------------------------------------------------- | ---- | -------- | -| **Dropbox Desktop Folder Sharing** | [CVE-2024-5924](https://nvd.nist.gov/vuln/detail/CVE-2024-5924) | 8.8 | **High** | +| Products Affected. | CVE | CVSS | Severity | +| ------------------------------------------------------------ | --------------------------------------------------------------- | ---- | -------- | +| **Dropbox Desktop Folder Sharing** Versions prior 198.4.7615 | [CVE-2024-5924](https://nvd.nist.gov/vuln/detail/CVE-2024-5924) | 8.8 | **High** | ## What has been observed? diff --git a/docs/advisories/20240626004-JavaScript-Polyfill-Supply-Chain-Attack.md b/docs/advisories/20240626004-JavaScript-Polyfill-Supply-Chain-Attack.md new file mode 100644 index 00000000..9823bc80 --- /dev/null +++ b/docs/advisories/20240626004-JavaScript-Polyfill-Supply-Chain-Attack.md @@ -0,0 +1,23 @@ +# JavaScript Polyfill Supply Chain Attack - 20240626004 + +## Overview + +The JavaScript library Polyfill.io, which is extensively utilized, has been flagged for substantial security vulnerabilities after being acquired by the Chinese firm Funnull. Sansec, a cybersecurity firm, has issued a warning that since the acquisition earlier this year, the polyfill.io service and domain have been compromised to inject harmful code into websites, indicating a supply chain attack which impacts over 100K sites. + +## Summary + +The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely. + +In addition, the decrypted malware code redirects users to a sports betting website using a dummy Google analytics domain (www.googie-anaiytics.com). The code is designed to prevent against reverse engineering and only activates on specific mobile devices at specific hours. It also does not turn on when it detects an admin user, and delays execution when a web analytics service is found, presumably so that it does not appear in the statistics. + +Currently, the cdn.polyfill.io domain is inexplicably diverted to Cloudflare's mirror. However, because the domain's DNS servers are unaltered, the owners can easily switch it back to their own domains at any time. + +Google has also started blocking Google Ads for websites using the affected code to reduce the number of potential targets. + +## Recommended Mitigations + +The WA SOC recommends that any website currently using Polyfill.io to immediately remove its code to avoid potential security breaches. The web administrator are encouraged to support secure and sustainable alternatives to ensure the integrity of their projects. + +## Reference + +- Bleeping Computer: