What CVE should I use for the Polyfill[.]io supply chain attack? I see that CVE-2024-38526 exists, but it's specifically for pdoc. Is there a better one?
:boost_love:
#polyfillio
Y'all remember #PolyfillIO?
I realize the lesson there is; don't depend on code from domains you don't control, and in an ideal world that's what you should do
But is there still a need there? Are there #webPlatform features you'd like to use but you don't want to introduce a build process just to bundle the #polyfill from #NPM?
Or is there no point in #polyfills since #browsers don't share caches between origins these days so there's no precaching benefit anymore?
So, I'm thinking; what if I build polyfill.io, but on the Blockchain! Hey come back..
Hear me out; #fleekfunctions are immutable, and transparent. So long as the #fleeknetwork nodes can be trusted to execute the code properly (I presume there are cryptographic guarantees of output validity) then it could be safer from supply chain attacks.
#webDev #polyfillio #polyfill #supplyChain #hacking #web3 #blockchain #fleek #javaScript
On July 5th, PolyfillIO switched to polyfill[.]top
This domain is currently unblocked by uBlock Origin and all major blocklists.
Tweet: https://x[.]com/Polyfill_Global/status/1809122842145141114
Thread with more information and also making fun of Windows users.
384,000 sites pull code from sketchy code library recently bought by Chinese firm | @dangoodin
A supply-chain attack on Polyfill.io, a #JavaScript library, redirected users to malicious sites. So far, bootcss.com is the only domain showing any signs of potential malice. The nature of the other associated endpoints remains unknown
#CyberSecurity #SupplyChainAttack #WebDevelopment #WebProgramming #WebSecurity #Polyfill #PolyfillIO
> #China-based company #Funnull acquired the domain and the GitHub account that hosted the #JavaScript code. On June 25, researchers from #security firm Sansec reported that code hosted on the polyfill domain had been changed to redirect users to adult- and gambling-themed websites. The code was deliberately designed to mask the redirections by performing them only at certain times of the day and only against visitors who met specific criteria.
If you're using #polyfillio code on your site โ like 100,000+ are โ remove it immediately
https://www.theregister.com/2024/06/25/polyfillio_china_crisis/
#JavaScript-Service Polyfill.io: 100.000 Sites binden Schadcode รผber CDN ein | Developer https://www.heise.de/news/Jetzt-handeln-Schadcode-ueber-CDN-des-JavaScript-Service-Polyfill-io-verteilt-9778256.html #polyfillio
Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator
#CDN #CLOUDFLARE #POLYFILLIO #SUPPLYCHAINATTACK https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/
> The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator
> Researchers discovered a public GitHub repository where the purported operators of Polyfill.io had accidentally exposed their Cloudflare secret keys.
LOL, FAIL!
#polyfill #polyfillio #cloudflare #bootcdn #bootcss #staticFile #security
Large #supplychain attack conducted via multiple #CDN, namely #PolyfillIo #BootCDN, #Bootcss, & #Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to common operator.
A GitHub repository where the purported operators of Polyfill.io had accidentally exposed their #Cloudflare keys.
Using leaked #API keys researchers were able to establish that common operator was behind all four domains, and wider #supplychainattack
https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/
Well, apparently we see the #polyfillio situation explode big time: https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/
JavaScript-Service Polyfill.io: 100.000 Sites binden Schadcode รผber CDN ein | heise online
https://heise.de/-9778256 #ContentDeliveryNetwork #CDN #Polyfillio
uBlock Origin has blocklisted polyfill[.]com
#OpenSource libs routinely use polyfill.io. Just bc you arent using the compromised #CDN directly, one of your deps might be. We put together a list of recently released pkgs that ref polyfill.io!
UBlock Origin is now blocking polyfill.io
Your regular reminder that AdBlockers are not just for hiding banner ads, they are also an indispensable tool for #privacy and #security
https://github.com/uBlockOrigin/uAssets/commit/91dfc54aed0f0aa514c1a481c3e63ea16da94c03
/cc @AmeliaBR
#polyfillio #ublock #supplyChain #polyfill #uBlockOrigin #adBlocker
GitHub has placed a warning on the PolyfillIO repository (https://github.com/polyfillpolyfill/polyfill-service), and has denied access for non-logged in users. The other two repositories owned by that account are unblocked. Dismissing the warning appears to be permanent for an account.
Re the #polyfillio malware issue:
I've seen a lot of people telling web developers to update any sites that use the service. But we all know there are countless unmaintained websites out there for small business and orgs.
The other thing that should be done is clientside, to block access to the URL so your browser won't download the malware even if a website asks it to.
Anyone got a good guide for doing that, at the individual browser or OS level? (For those without institutional firewalls.)
PolyfillIO maintainer denies they are serving malicious JavaScript
Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize our own reputation.
https://github.com/polyfillpolyfill/polyfill-service/issues/2890#issuecomment-2191461961
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst