diff --git a/headless/2024/CVE-2024-38526.yaml b/headless/2024/CVE-2024-38526.yaml new file mode 100644 index 0000000000..445d1debf4 --- /dev/null +++ b/headless/2024/CVE-2024-38526.yaml @@ -0,0 +1,56 @@ +id: CVE-2024-38526 + +info: + name: CVE-2024-38526 - Untrusted 3rd party + author: abut0n + severity: high + description: | + The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io. However, in February of 2024, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io + impact: | + The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites. + remediation: | + Remove the dependecy. + reference: + - https://sansec.io/research/polyfill-supply-chain-attack + - https://nvd.nist.gov/vuln/detail/CVE-2024-38526 + - https://x.com/triblondon/status/1761852117579427975 + tags: CVE,CVE-2024-38526,headless,supply-chain + +headless: + - steps: + - args: + url: "{{BaseURL}}" + action: navigate + + - action: waitload + + - action: script + name: extract + args: + code: | + () => { + return '\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + '\n' + } + + extractors: + - type: kval + part: extract + name: urls + internal: true + kval: + - extract + + matchers: + - type: word + words: + - "polyfill.io" + # More domains that have been used by the same actor to spread malware since at least June 2023: bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com. + - "bootcdn.net" + - "bootcss.com" + - "staticfile.net" + - "staticfile.org" + - "unionadjs.com" + - "xhsbpza.com" + - "union.macoms.la" + - "newcrbpc.com" + part: urls