Bugzilla – Bug 1227690
VUL-0: CVE-2024-38526: ghc-pandoc: Polyfill Supply Chain Attack
Last modified: 2024-07-12 09:04:34 UTC
+++ This bug was initially created as a clone of Bug #1227687 +++ The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. References: https://sansec.io/research/polyfill-supply-chain-attack https://nvd.nist.gov/vuln/detail/CVE-2024-38526
The following package loads js from polyfill.io. - SUSE:SLE-15-SP5:Update/ghc-pandoc Upstream already address it in v3.1.12.3 [0] but I see that more recently they even droped it [1]. If you believe it's OK to drop, then you can backport the latter commit too. openSUSE:Factory/ghc-pandoc is safe as it's v3.2. [0] https://github.com/jgm/pandoc/commit/5877ec546df29115163b36de32837f5e08506092 [1] https://github.com/jgm/pandoc/commit/59cc5c37251a9a180717474612d6efbd4ad90402