Merge pull request #10128 from kazet/polyfill-io

polyfill.io detection

http/vulnerabilities/backdoor/polyfill-backdoor.yaml

@@ -0,0 +1,32 @@
+id: polyfill-backdoor
+
+info:
+  name: Polyfill.io - Detection
+  author: kazet
+  severity: low
+  description: |
+    The polyfill.io CDN was suspected to serve malware.
+  reference:
+    - https://sansec.io/research/polyfill-supply-chain-attack
+    - https://web.archive.org/web/20240229113710/https://github.com/polyfillpolyfill/polyfill-service/issues/2834
+    - https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"polyfill.io"
+  tags: cdn,polyfill-io,backdoor,malware
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 1
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "<script[^>]* src=['\"]https?://([a-zA-Z0-9-]*.)?polyfill.io[/'\"]"