Detections
Analytics
Polyfill Detected
high Web App Scanning Plugin ID 114357
Language:
Synopsis
Polyfill DetectedDescription
The `polyfill.js` file is a popular open-source library to ensure old browsers compatibility when evaluating JavaScript code. Starting February 2024, the domain `polyfill.io` and the related GitHub account have been purchased by a malicious threat actor to inject malwares in all web applications relying on, at least, the `cdn.polyfill.io` domain. The `polyfill.js` file cannot be trusted anymore as the malicious code could have been redistributed on other CDNs or locally copied in various plugins.Solution
Remove the detected file(s) immediately from the web application if they are embedded in it, and ensure that the script is not loaded from any untrusted external source. Some vendors have already put some mitigations in place to rewrite content using the malicious `polyfill.io` domain or to serve a safe version of the library.See Also
https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
Plugin Details
Severity: High
ID: 114357
Type: remote
Family: Component Vulnerability
Published: 6/28/2024
Updated: 6/28/2024
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS Score Source: CVE-2024-38526
CVSS v3
Risk Factor: High
Base Score: 7.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
CVSS Score Source: CVE-2024-38526
Reference Information
CVE: CVE-2024-38526
CWE: 506
OWASP: 2013-A9, 2017-A9, 2021-A6
DISA STIG: APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1
PCI-DSS: 3.2-6.2