Bug 1227688

Summary: VUL-0: CVE-2024-38526: doxygen,doxygen-1_10: Polyfill Supply Chain Attack
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Petr Gajdos <pgajdos>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412153/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1227687    

Description Gianluca Gabrielli 2024-07-12 07:51:07 UTC 
+++ This bug was initially created as a clone of Bug #1227687 +++

The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.

References:
https://sansec.io/research/polyfill-supply-chain-attack
https://nvd.nist.gov/vuln/detail/CVE-2024-38526
Comment 1 Gianluca Gabrielli 2024-07-12 08:11:35 UTC 
The following packages contains code that load js from the polyfill.io domain, but it was made optional [0] by commenting it out [1]. Hence, no problem here.

- SUSE:SLE-15-SP6:Update/doxygen-1_10
- openSUSE:Factory/doxygen
- SUSE:ALP:Source:Standard:1.0/doxygen

The following two packages are not affected.

- SUSE:SLE-12:Update/doxygen
- SUSE:SLE-15:Update/doxygen

[0] https://github.com/doxygen/doxygen/issues/10354
[1] https://github.com/doxygen/doxygen/commit/41e3eeed6d7c34d14f072cbfea5fe418fc65a760