The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Polyfill.io JavaScript supply chain attack impacts over 100K sites
Christian J
post Jun 29 2024, 04:25 AM
Post #1


.
********

Group: WDG Moderators
Posts: 9,743
Joined: 10-August 06
Member No.: 7



https://www.bleepingcomputer.com/news/secur...ver-100k-sites/

Today, cybersecurity company Sansec warned that the polyfill.io domain and service was purchased earlier this year by a Chinese company named 'Funnull' and the script has been modified to introduce malicious code on websites in a supply chain attack.

"However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," explains Sansec.

When the polyfill.io was purchased, the project developer warned that he never owned the polyfill.io site and that all websites should remove it immediately.

User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
pandy
post Jun 29 2024, 06:16 PM
Post #2


🌟Computer says no🌟
********

Group: WDG Moderators
Posts: 20,766
Joined: 9-August 06
Member No.: 6



And cdn.polyfill.io is yet another library, one assumes?

Hmm. That must be a risk with just about any library that lives on or connects to a remote server. mustn't it? In the wrong hands it can get a whole lot of new "features" all of a sudden...
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Jun 30 2024, 03:28 PM
Post #3


.
********

Group: WDG Moderators
Posts: 9,743
Joined: 10-August 06
Member No.: 7



Exactly! Same goes for browser extensions and mobile apps, BTW. mellow.gif
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
pandy
post Jun 30 2024, 07:15 PM
Post #4


🌟Computer says no🌟
********

Group: WDG Moderators
Posts: 20,766
Joined: 9-August 06
Member No.: 6



Yeah, apps are a little scary since one usually know nothing about the people behind the app. And they almost always needs access to a lot of things on the phone.

The same can probably be true for computer programs if they interact with a server in some way. BTW my beloved little FW thingie TinyWall is good for that too. No program that I haven't explicitly allowed can call home.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 9th December 2024 - 11:58 AM