Skip to main content
D
defaultdzk4d31ohvca
Participant
July 11, 2024
Question

vulnerability with Polyfill?

  • July 11, 2024
  • 2 replies
  • 706 views

Our weekly Qualys scan found the following vulnerability 

151040 Vulnerable JavaScript Detected - Polyfill.js 

 

Threat
The polyfill.js is a popular open source library to support older browsers. Thousands of sites embed it using the cdn.polyfill.io domain. In February 2024, a Chinese company (Funnull) bought the domain and the associated Github account. The company has modified the Polyfill.js script to introduce malicious code in to websites. Any script adopted from cdn.polyfill.io would immediately be downloading malicious code from the Chinese company's site.
QID Detection Logic (Unauthenticated):
This QID checks if the target is using the js file.

Impact
Presence of this javascript allows attackers to embed malicious JavaScript into the users website allowing them to steal sensitive data, redirect users to malicious websites and possible code execution.
Solution
Given that the modern browsers do not require Polyfill, original polyfill author recommends to not use Polyfill at all. Recommended alternatives are CDN such as Cloudflare and Fastly

 

Examining the files I see that the following js files contain references to js-polyfills 
robohelpTarget\template\scripts\common.min.js
robohelpTarget\template\scripts\csh-core.min.js
robohelpTarget\template\scripts\layout.min.js
robohelpTarget\template\scripts\rh.min.js
robohelpTarget\template\scripts\topic.min.js

Is this a false positive? It isn't referencing or downloading from cdn.polyfill.io so I am hoping it is. 

We are using Version 2022.3.93

    This topic has been closed for replies.

    2 replies

    Peter Grainge
    Community Expert
    Peter GraingeCommunity Expert
    Community Expert
    July 11, 2024

    BTW. 2022.4 is available. It has a few issues but they may not affect you.

     

    See https://www.grainge.org/RoboHelp/Issues/Issues.htm.

    ________________________________________________________

    My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

     

    Use menu (bottom right) to mark as Best Answer or to Highlight particularly useful replies. Found the answer elsewhere? Share it here.
    Peter Grainge
    Community Expert
    Peter GraingeCommunity Expert
    Community Expert
    July 11, 2024

    This is a user to user forum. It would be wrong in my opinion for you to rely on the opinion of anyone here. I suggest for this one you need to go to Adobe Support. See https://helpx.adobe.com/contact/enterprise-support.other.html#robohelp for your Adobe Support options. The email link tcssup@adobe.com is recommended as it reaches a team dedicated to Technical Communication Suite products including RoboHelp.

    ________________________________________________________

    My site www.grainge.org includes many free Authoring and RoboHelp resources that may be of help.

     

    Use menu (bottom right) to mark as Best Answer or to Highlight particularly useful replies. Found the answer elsewhere? Share it here.
      D
      defaultdzk4d31ohvcaAuthor
      Participant
      July 11, 2024

      Thank you. I have emailed support. 

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices