id: CVE-2024-38526

info:
  name: Polyfill Supply Chain Attack Malicious Code Execution
  author: abut0n
  severity: high
  description: |
    pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io
  impact: |
    The polyfill.io CDN has been sold and now serves malicious code.
  remediation: |
    This issue has been fixed in pdoc 14.5.1.
  reference:
    - https://sansec.io/research/polyfill-supply-chain-attack
    - https://nvd.nist.gov/vuln/detail/CVE-2024-38526
    - https://x.com/triblondon/status/1761852117579427975
    - https://github.com/mitmproxy/pdoc/pull/703
    - https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
    cvss-score: 7.2
    cve-id: CVE-2024-38526
    epss-score: 0.00045
    epss-percentile: 0.16001
  tags: cve,cve2024,supply-chain,polyfill
headless:
  - steps:
      - args:
          url: "{{BaseURL}}"
        action: navigate

      - action: waitload

      - action: script
        name: extract
        args:
          code: |
            () => {
             return '\n' + [...new Set(Array.from(document.querySelectorAll('[src], [href], [url], [action]')).map(i => i.src || i.href || i.url || i.action))].join('\r\n') + '\n'
            }

    extractors:
      - type: kval
        part: extract
        name: urls
        internal: true
        kval:
          - extract

    matchers:
      - type: word
        words:
          - "polyfill.io"
          - "bootcdn.net"
          - "bootcss.com"
          - "staticfile.net"
          - "staticfile.org"
          - "unionadjs.com"
          - "xhsbpza.com"
          - "union.macoms.la"
          - "newcrbpc.com"
        part: urls
# digest: 4a0a004730450221008b738ec6c666368330687e6764dc2fcbf3c95a84d56a6899b655a191a14df157022007e079eb3a5924e73ce46bd10dc18a84a6fad8871ef0e58954377fe4f87fb47e:922c64590222798bb761d5b6d8e72950