Original Post: What It Is and How to Know If You’re…
The Polyfill supply chain attack was disclosed by Sansec on June 25, 2024. The attack involved malicious code injected into the polyfill.js library distributed via the polyfill.io CDN, redirecting users to harmful scam sites. The domain was acquired by the Chinese company Funnull in February 2024, and the malicious activity was designed to avoid detection.
On June 27, updates revealed that Cloudflare had implemented fixes, and Namecheap had put the domain on hold, though it’s advised to remove any references to polyfill.io from codebases. Affected sites are those using the polyfill library from the polyfill.io CDN. The vulnerability is tracked under CVE-2024-38526 and can be detected through Veracode’s Software Composition Analysis (SCA) and Dynamic Analysis.
Next steps include ongoing analysis and updates to the Veracode Vulnerability Database, and Veracode offers tools like DAST Essentials to help protect against such attacks. A free trial of these tools is available.
Go here to read the Original Post