From 9428f72a35378b4f3dc0a37117f477abc2146f87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krzysztof=20Zaj=C4=85c?= <krzysztof.zajac2@gmail.com>
Date: Tue, 25 Jun 2024 15:36:55 +0200
Subject: [PATCH] polyfill.io detection

---
 http/miscellaneous/polyfill-io.yaml | 30 +++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 http/miscellaneous/polyfill-io.yaml

diff --git a/http/miscellaneous/polyfill-io.yaml b/http/miscellaneous/polyfill-io.yaml
new file mode 100644
index 0000000000..d326e0bc9e
--- /dev/null
+++ b/http/miscellaneous/polyfill-io.yaml
@@ -0,0 +1,30 @@
+id: polyfill-io-detect
+
+info:
+  name: Polyfill.io Detection
+  author: kazet
+  severity: low
+  description: The polyfill.io CDN was suspected to serve malware.
+  reference:
+    - https://sansec.io/research/polyfill-supply-chain-attack
+    - https://web.archive.org/web/20240229113710/https://github.com/polyfillpolyfill/polyfill-service/issues/2834
+    - https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk
+  metadata:
+    verified: true
+    max-request: 1
+  tags: cdn,polyfill.io
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    redirects: true
+    max-redirects: 1
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "<script[^>]* src=['\"]https?://([a-zA-Z0-9-]*.)?polyfill.io[/'\"]"