2024-06-27 13:30:06 +00:00
|
|
|
id: polyfill-backdoor
|
2024-06-25 13:36:55 +00:00
|
|
|
|
|
|
|
info:
|
2024-07-15 13:18:30 +00:00
|
|
|
name: Polyfill.io - Backdoor
|
2024-06-25 13:36:55 +00:00
|
|
|
author: kazet
|
2024-07-01 08:23:52 +00:00
|
|
|
severity: high
|
2024-06-27 10:46:00 +00:00
|
|
|
description: |
|
|
|
|
The polyfill.io CDN was suspected to serve malware.
|
2024-06-25 13:36:55 +00:00
|
|
|
reference:
|
|
|
|
- https://sansec.io/research/polyfill-supply-chain-attack
|
|
|
|
- https://web.archive.org/web/20240229113710/https://github.com/polyfillpolyfill/polyfill-service/issues/2834
|
|
|
|
- https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk
|
|
|
|
metadata:
|
|
|
|
verified: true
|
|
|
|
max-request: 1
|
2024-06-27 10:46:00 +00:00
|
|
|
shodan-query: html:"polyfill.io"
|
2024-06-27 13:30:06 +00:00
|
|
|
tags: cdn,polyfill-io,backdoor,malware
|
2024-06-25 13:36:55 +00:00
|
|
|
|
|
|
|
http:
|
|
|
|
- method: GET
|
|
|
|
path:
|
|
|
|
- "{{BaseURL}}"
|
|
|
|
|
|
|
|
redirects: true
|
|
|
|
max-redirects: 1
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: regex
|
|
|
|
part: body
|
|
|
|
regex:
|
|
|
|
- "<script[^>]* src=['\"]https?://([a-zA-Z0-9-]*.)?polyfill.io[/'\"]"
|
2024-07-15 15:11:10 +00:00
|
|
|
# digest: 4a0a0047304502203f42ee7cd83f09782d81dcd502e2ed01add4d201cceb9baf65a2a240203f8046022100a05c40d55db5434ccc8fb01d0df8479216dc0191ebf471f93bcfb3d7adff0309:922c64590222798bb761d5b6d8e72950
|