Closed coliff closed 2 weeks ago
Yeah, I saw this and was thinking the same. I'm sure we can solve that for the browser extensions and retire-site-scanner. The command line scanner will struggle a bit more, as it would have to scan non-js files like HTML and similar, which would likely slow down that scans.
Thanks for adding that and all the work you've done on this project 👍
It will currently only work in the chrome extension and not in any other extensions (Burp, Firefox) or the CLI. I have to see if there is a way to backport that fix to the old format of vulnerabilities, but I currently don't see one, and the best way to detect this would be to look at what is loaded in the browser (which the chrome extension does).
Polyfill.io is/was a popular service used by as much as 4% of the Internet. It was recently being used to inject malicious JavaScript code into users’ browsers.
REF:
It'd be good if retire.js detected usage of any script on
https://polyfill.io/
/https://cdn.polyfill.io/
and warned users.