Detect and warn about usage of polyfill.io

[coliff]

Polyfill.io is/was a popular service used by as much as 4% of the Internet. It was recently being used to inject malicious JavaScript code into users’ browsers.

REF:

• https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet
• https://sansec.io/research/polyfill-supply-chain-attack
• https://www.securityweek.com/polyfill-supply-chain-attack-hits-over-100k-websites/

It'd be good if retire.js detected usage of any script on https://polyfill.io//https://cdn.polyfill.io/ and warned users.

[eoftedal]

Yeah, I saw this and was thinking the same. I'm sure we can solve that for the browser extensions and retire-site-scanner. The command line scanner will struggle a bit more, as it would have to scan non-js files like HTML and similar, which would likely slow down that scans.

[coliff]

Thanks for adding that and all the work you've done on this project 👍

[eoftedal]

It will currently only work in the chrome extension and not in any other extensions (Burp, Firefox) or the CLI. I have to see if there is a way to backport that fix to the old format of vulnerabilities, but I currently don't see one, and the best way to detect this would be to look at what is loaded in the browser (which the chrome extension does).