Bugzilla – Bug 1227688
VUL-0: CVE-2024-38526: doxygen,doxygen-1_10: Polyfill Supply Chain Attack
Last modified: 2024-07-12 09:04:53 UTC
+++ This bug was initially created as a clone of Bug #1227687 +++ The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. References: https://sansec.io/research/polyfill-supply-chain-attack https://nvd.nist.gov/vuln/detail/CVE-2024-38526
The following packages contains code that load js from the polyfill.io domain, but it was made optional [0] by commenting it out [1]. Hence, no problem here. - SUSE:SLE-15-SP6:Update/doxygen-1_10 - openSUSE:Factory/doxygen - SUSE:ALP:Source:Standard:1.0/doxygen The following two packages are not affected. - SUSE:SLE-12:Update/doxygen - SUSE:SLE-15:Update/doxygen [0] https://github.com/doxygen/doxygen/issues/10354 [1] https://github.com/doxygen/doxygen/commit/41e3eeed6d7c34d14f072cbfea5fe418fc65a760