CPAN Modules that embed polyfill.io

briandfoy / cpan-security-advisory

CPAN Security Advisory Database

Artistic License 2.0

22 stars 14 forks source link

CPAN Modules that embed polyfill.io #155

Closed robrwo closed 4 months ago

robrwo commented 4 months ago

The CDN hosted polyfill.io script appears to have been compromised by malware, https://stackdiary.com/polyfill-compromise-hits-100000-sites-in-a-supply-chain-attack/

A git grep of a copy of MetaCPAN shows the following modules may be using it:

Mojo-DOM-Role-Analyzer https://github.com/sdondley/Mojo-DOM-Role-Analyzer/issues/10
Mojolicious-Plugin-LazyImage https://metacpan.org/release/JHTHORSEN/Mojolicious-Plugin-LazyImage-0.01 not in the index and git repo seems to have been deleted

I believe this is CVE-2024-38526

Note: WWW-Wappalyzer references polyfill.io but this seems to be for analysing tech used, and not actually embedding it.

robrwo commented 4 months ago

I've emailed the author of Mojolicious-Plugin-LazyImage directly, since the git repo seems to be missing.

briandfoy commented 4 months ago

I forgot to tag this issue in 387ef538c13f8fb4bb67a801639aaa7c1ab7c8b3 and 5f6a039b779b3196f0c004ce0a7a56cb2e0fec27

robrwo commented 4 months ago

Looking closely, that CVE refers to pdoc specifically as software that uses the compromised polyfill.

briandfoy commented 4 months ago

I see that the Mojo-DOM-Role-Analyzer tests use polyfill as you noted, and since these tests are actually run by default by cpan clients, I consider this a problem.

In Mojolicious-Plugin-LazyImage, the polypill is in the code.

robrwo commented 4 months ago

I see that the tests use polyfill as you noted, and since these tests are actually run by default by cpan clients, I consider this a problem.

Also, developers will use tests as examples.

robrwo commented 4 months ago

For 387ef538c13f8fb4bb67a801639aaa7c1ab7c8b3 I'd leave it as all affected versions, as there's only 0.01 anyway. If/when a new version is released that fixes the issue, we can update that.

briandfoy commented 4 months ago

For 387ef53 I'd leave it as all affected versions, as there's only 0.01 anyway. If/when a new version is released that fixes the issue, we can update that.

I don't think CPAN::Audit can handle an "all versions". It needs something to compare to the current version. I can see the problem if there's another release that does not fix this though.

briandfoy commented 4 months ago

I've released a new CPAN::Audit that contains this advisory. Thanks,