Bug 1227687 (CVE-2024-38526)

Summary: VUL-0: CVE-2024-38526: TRACKERBUG: Polyfill Supply Chain Attack
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412153/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1227690, 1227693, 1227659, 1227688    
Bug Blocks:    

Description Gianluca Gabrielli 2024-07-12 07:43:12 UTC 
The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.

References:
https://sansec.io/research/polyfill-supply-chain-attack
https://nvd.nist.gov/vuln/detail/CVE-2024-38526