Create CVE-2024-38526.yaml

2024-06-28 13:21:11 +02:00 · 2024-06-28 13:21:11 +02:00 · e268102246
parent 5eb08a82d4
commit e268102246
1 changed files with 56 additions and 0 deletions
--- a/headless/2024/CVE-2024-38526.yaml
+++ b/headless/2024/CVE-2024-38526.yaml
@ -0,0 +1,56 @@
+id: CVE-2024-38526
+
+info:
+  name: CVE-2024-38526 - Untrusted 3rd party
+  author: abut0n
+  severity: high
+  description: |
+    The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io. However, in February of 2024, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io
+  impact: |
+    The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.
+  remediation: |
+    Remove the dependecy.
+  reference:
+    - https://sansec.io/research/polyfill-supply-chain-attack
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-38526
+    - https://x.com/triblondon/status/1761852117579427975
+  tags: CVE,CVE-2024-38526,headless,supply-chain
+
+headless:
+  - steps:
+      - args:
+          url: "{{BaseURL}}"
+        action: navigate
+
+      - action: waitload
+
+      - action: script
+        name: extract
+        args:
+          code: |
+            () => {
+             return '\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + '\n'
+            }
+
+    extractors:
+      - type: kval
+        part: extract
+        name: urls
+        internal: true
+        kval:
+          - extract
+
+    matchers:
+      - type: word
+        words:
+          - "polyfill.io"
+          # More domains that have been used by the same actor to spread malware since at least June 2023: bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com.
+          - "bootcdn.net"
+          - "bootcss.com"
+          - "staticfile.net"
+          - "staticfile.org"
+          - "unionadjs.com"
+          - "xhsbpza.com"
+          - "union.macoms.la"
+          - "newcrbpc.com"
+        part: urls