Create CVE-2024-38526.yaml
abut0n
parent
5eb08a82d4
commit
e268102246
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: CVE-2024-38526
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: CVE-2024-38526 - Untrusted 3rd party
|
||||||
|
author: abut0n
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io. However, in February of 2024, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io
|
||||||
|
impact: |
|
||||||
|
The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.
|
||||||
|
remediation: |
|
||||||
|
Remove the dependecy.
|
||||||
|
reference:
|
||||||
|
- https://sansec.io/research/polyfill-supply-chain-attack
|
||||||
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-38526
|
||||||
|
- https://x.com/triblondon/status/1761852117579427975
|
||||||
|
tags: CVE,CVE-2024-38526,headless,supply-chain
|
||||||
|
|
||||||
|
headless:
|
||||||
|
- steps:
|
||||||
|
- args:
|
||||||
|
url: "{{BaseURL}}"
|
||||||
|
action: navigate
|
||||||
|
|
||||||
|
- action: waitload
|
||||||
|
|
||||||
|
- action: script
|
||||||
|
name: extract
|
||||||
|
args:
|
||||||
|
code: |
|
||||||
|
() => {
|
||||||
|
return '\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + '\n'
|
||||||
|
}
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: kval
|
||||||
|
part: extract
|
||||||
|
name: urls
|
||||||
|
internal: true
|
||||||
|
kval:
|
||||||
|
- extract
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "polyfill.io"
|
||||||
|
# More domains that have been used by the same actor to spread malware since at least June 2023: bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com.
|
||||||
|
- "bootcdn.net"
|
||||||
|
- "bootcss.com"
|
||||||
|
- "staticfile.net"
|
||||||
|
- "staticfile.org"
|
||||||
|
- "unionadjs.com"
|
||||||
|
- "xhsbpza.com"
|
||||||
|
- "union.macoms.la"
|
||||||
|
- "newcrbpc.com"
|
||||||
|
part: urls
|
||||||
Loading…
Reference in New Issue