Bug 1227690

Summary: VUL-0: CVE-2024-38526: ghc-pandoc: Polyfill Supply Chain Attack
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Peter Simons <peter.simons>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412153/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1227687    

Description Gianluca Gabrielli 2024-07-12 08:14:33 UTC 
+++ This bug was initially created as a clone of Bug #1227687 +++

The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.

References:
https://sansec.io/research/polyfill-supply-chain-attack
https://nvd.nist.gov/vuln/detail/CVE-2024-38526
Comment 1 Gianluca Gabrielli 2024-07-12 08:23:49 UTC 
The following package loads js from polyfill.io.

 - SUSE:SLE-15-SP5:Update/ghc-pandoc

Upstream already address it in v3.1.12.3 [0] but I see that more recently they even droped it [1]. If you believe it's OK to drop, then you can backport the latter commit too.

openSUSE:Factory/ghc-pandoc is safe as it's v3.2.

[0] https://github.com/jgm/pandoc/commit/5877ec546df29115163b36de32837f5e08506092
[1] https://github.com/jgm/pandoc/commit/59cc5c37251a9a180717474612d6efbd4ad90402