Our weekly Qualys scan found the following vulnerability
151040 Vulnerable JavaScript Detected - Polyfill.js
Threat
The polyfill.js is a popular open source library to support older browsers. Thousands of sites embed it using the cdn.polyfill.io domain. In February 2024, a Chinese company (Funnull) bought the domain and the associated Github account. The company has modified the Polyfill.js script to introduce malicious code in to websites. Any script adopted from cdn.polyfill.io would immediately be downloading malicious code from the Chinese company's site.
QID Detection Logic (Unauthenticated):
This QID checks if the target is using the js file.
Impact
Presence of this javascript allows attackers to embed malicious JavaScript into the users website allowing them to steal sensitive data, redirect users to malicious websites and possible code execution.
Solution
Given that the modern browsers do not require Polyfill, original polyfill author recommends to not use Polyfill at all. Recommended alternatives are CDN such as Cloudflare and Fastly
Examining the files I see that the following js files contain references to js-polyfills
robohelpTarget\template\scripts\common.min.js
robohelpTarget\template\scripts\csh-core.min.js
robohelpTarget\template\scripts\layout.min.js
robohelpTarget\template\scripts\rh.min.js
robohelpTarget\template\scripts\topic.min.js
Is this a false positive? It isn't referencing or downloading from cdn.polyfill.io so I am hoping it is.
We are using Version 2022.3.93
3
Replies
AdChoices