On the 25th of June 2024, Sansec released a security advisory article regarding the Polyfill supply chain attack.
Intro
Polyfill.js is a popular JavaScript library that provides modern functionality on older browsers that do not natively support it. The implementation of Polyfill.js is mostly attached to an HTML tag as a script. This allows the code to run a dynamic action process to execute JS code on the website that uses it. This library implementation will mostly use a script hosted on *.polyfill.io or especially on cdn.polyfill.io.
The issue
Unfortunately, the polyfill.io domain itself has been acquired by a China-based company called Funnull. According to Sansec, it has been confirmed that the script from the domain tried to inject a malicious JS code into the Polyfill library hosted on the domain. This issue could lead to Cross-Site Scripting (XSS) vulnerability where a malicious actor can execute JS code to steal a user’s data, perform unwanted actions on a site, and do other actions such as redirecting users to a shady website. From the analysis done by Sansec, it has been noticed that the malicious code tried to redirect users to sports betting sites.
Some of the domains according to Sansec that have been compromised by the same actor that hosts a malicious JS code are:
- *.polyfill.io (cdn.polyfill.io)
- bootcdn.net
- bootcss.com
- staticfile.net
- staticfile.org
- unionadjs.com
- xhsbpza.com
- union.macoms.la
- newcrbpc.com
Effect on the WordPress Ecosystem
We tried to analyze the WordPress repository and search for plugins and themes that are known or still have a code to embed a script from the above-affected domains. Since most of the affected domains have already been taken down, the impact of this issue is very minimal and it is considered more as a risk rather than a directly exploitable vulnerability. However, the affected domains can possibly be active in the future. We also made this into a vulnerability entry on our Database and set the patch priority to low.
Below are the JSON lists of the affected plugins that we have found:
[
{
"name":"Amelia",
"slug":"ameliabooking",
"type":"plugin",
"affected_version":"<= 1.1.8",
"patched_version":null
},
{
"name":"WP User Frontend",
"slug":"wp-user-frontend",
"type":"plugin",
"affected_version":"<= 4.0.7",
"patched_version":null
},
{
"name":"Product Customer List for WooCommerce",
"slug":"wc-product-customer-list",
"type":"plugin",
"affected_version":"<= 3.1.6",
"patched_version":"3.1.7"
},
{
"name":"Word Balloon",
"slug":"word-balloon",
"type":"plugin",
"affected_version":"<= 4.22.1",
"patched_version":"4.22.2"
},
{
"name":"Sentry",
"slug":"wp-sentry-integration",
"type":"plugin",
"affected_version":"<= 7.8.0",
"patched_version":"7.9.0"
},
{
"name":"YITH WooCommerce Affiliates",
"slug":"yith-woocommerce-affiliates",
"type":"plugin",
"affected_version":"<= 3.8.0",
"patched_version":"3.8.1"
},
{
"name":"FireBox",
"slug":"firebox",
"type":"plugin",
"affected_version":"<= 2.1.15",
"patched_version":"2.1.16"
},
{
"name":"YAHMAN Add-ons",
"slug":"yahman-add-ons",
"type":"plugin",
"affected_version":"<= 0.9.28",
"patched_version":"0.9.29"
},
{
"name":"Tooltip for Gravity Forms",
"slug":"tooltip-for-gravity-forms",
"type":"plugin",
"affected_version":"<= 2.9",
"patched_version":null
},
{
"name":"Taager",
"slug":"taager",
"type":"plugin",
"affected_version":"<= 1.16.0",
"patched_version":null
},
{
"name":"TotalSurvey",
"slug":"totalsurvey",
"type":"plugin",
"affected_version":"<= 1.9.3",
"patched_version":null
},
{
"name":"Weight Tracker",
"slug":"weight-loss-tracker",
"type":"plugin",
"affected_version":"<= 10.8.3",
"patched_version":null
},
{
"name":"Meal Tracker",
"slug":"meal-tracker",
"type":"plugin",
"affected_version":"<= 3.1.6",
"patched_version":null
},
{
"name":"TotalRating Pro",
"slug":"totalrating",
"type":"plugin",
"affected_version":"<= 1.8.4",
"patched_version":null
},
{
"name":"Amelia Shortcode Extended",
"slug":"theidealweb-amelia-shortcode-extended",
"type":"plugin",
"affected_version":"<= 1.6",
"patched_version":null
},
{
"name":"Logic Hop",
"slug":"logic-hop",
"type":"plugin",
"affected_version":"<= 3.8.8",
"patched_version":null
},
{
"name":"ShipAny",
"slug":"shipany",
"type":"plugin",
"affected_version":"<= 1.1.51",
"patched_version":null
},
{
"name":"Integration for Luminate and Gravity Forms",
"slug":"integration-for-luminate-and-gravity-forms",
"type":"plugin",
"affected_version":"<= 1.3.3",
"patched_version":"1.3.4"
},
{
"name":"WebSitter Pro",
"slug":"triagetrak",
"type":"plugin",
"affected_version":"<= 4.0.11",
"patched_version":null
},
{
"name":"Viva Payments",
"slug":"viva-payments-simple-checkout",
"type":"plugin",
"affected_version":"<= 1.2",
"patched_version":null
},
{
"name":"CommandBar for WP Admin",
"slug":"commandbar-for-wp-admin",
"type":"plugin",
"affected_version":"<= 1.0.7",
"patched_version":null
},
{
"name":"alfred24 Click & Collect",
"slug":"alfred-click-collect",
"type":"plugin",
"affected_version":"<= 1.1.7",
"patched_version":null
},
{
"name":"Qualified Electronic Signatures by eID Easy",
"slug":"eid-easy-qualified-electonic-signature",
"type":"plugin",
"affected_version":"<= 3.3.0",
"patched_version":null
},
{
"name":"Digital River Global Commerce",
"slug":"digital-river-global-commerce",
"type":"plugin",
"affected_version":"<= 2.0.2",
"patched_version":null
},
{
"name":"ADDRESSYA",
"slug":"addressya-for-woocommerce",
"type":"plugin",
"affected_version":"<= 3.1.1",
"patched_version":null
},
{
"name":"Contact Form by TotalForm",
"slug":"totalform",
"type":"plugin",
"affected_version":"<= 1.0.0",
"patched_version":null
},
{
"name":"Alfred Easy Shipping",
"slug":"alfred-easy-shipping",
"type":"plugin",
"affected_version":"<= 1.0.5",
"patched_version":null
},
{
"name":"Field Day",
"slug":"activityhub",
"type":"plugin",
"affected_version":"<= 3.3.8",
"patched_version":null
},
{
"name":"Jobs.af",
"slug":"jobs-af",
"type":"plugin",
"affected_version":"<= 1.0.1",
"patched_version":null
},
{
"name":"Pixel Manager for WooCommerce",
"slug":"woocommerce-google-adwords-conversion-tracking-tag",
"type":"plugin",
"affected_version":"<= 1.43.3",
"patched_version":"1.43.4"
},
{
"name":"weForms",
"slug":"weforms",
"type":"plugin",
"affected_version":"<= 1.6.23",
"patched_version":null
},
{
"name":"OpenStreetMap for Gutenberg and WPBakery Page Builder",
"slug":"stepbyteservice-openstreetmap",
"type":"plugin",
"affected_version":"<= 1.1.2",
"patched_version":null
},
{
"name":"WPJAM Basic",
"slug":"wpjam-basic",
"type":"plugin",
"affected_version":"<= 6.5.4.1",
"patched_version":null
},
{
"name":"nicen-localize-image",
"slug":"nicen-localize-image",
"type":"plugin",
"affected_version":"<= 1.4.0",
"patched_version":null
},
{
"name":"Mine Video Player",
"slug":"mine-video",
"type":"plugin",
"affected_version":"<= 2.8.11",
"patched_version":null
},
{
"name":"Canvas-Nest.js",
"slug":"canvas-nestjs",
"type":"plugin",
"affected_version":"<= 1.0.1",
"patched_version":null
},
{
"name":"WS Theme Addons",
"slug":"ws-theme-addons",
"type":"plugin",
"affected_version":"<= 2.0.0",
"patched_version":null
},
{
"name":"Magic Conversation For Gravity Forms",
"slug":"magic-conversation-for-gravity-forms",
"type":"plugin",
"affected_version":"<= 3.0.94",
"patched_version":null
},
{
"name":"wp-code-highlightjs",
"slug":"wp-code-highlightjs",
"type":"plugin",
"affected_version":"<= 0.6.3",
"patched_version":null
},
{
"name":"Ideaplus",
"slug":"ideaplus",
"type":"plugin",
"affected_version":"<= 1.0.5",
"patched_version":null
},
{
"name":"Easy Speedup by PageCDN",
"slug":"pagecdn",
"type":"plugin",
"affected_version":"<= 5.14",
"patched_version":null
},
{
"name":"Social Warfare",
"slug":"social-warfare",
"type":"plugin",
"affected_version":"<= 4.4.7.1",
"patched_version":"4.4.7.3"
},
{
"name":"Blaze Widget",
"slug":"blaze-widget",
"type":"plugin",
"affected_version":"<= 2.5.2",
"patched_version":"2.5.4"
},
{
"name":"Contact Form 7 Multi-Step Addon",
"slug":"contact-form-7-multi-step-addon",
"type":"plugin",
"affected_version":"<= 1.0.5",
"patched_version":"1.0.7"
},
{
"name":"Simply Show Hooks",
"slug":"simply-show-hooks",
"type":"plugin",
"affected_version":"<= 1.2.1",
"patched_version":null
}
]
Note that the above lists are subject to change if there is a patched version published or if there are any additional or updated entries.
The recommended patch
We recommend removing the code that tries to embed a script from the compromised domains. If the feature from the Polyfill library is still needed, some of the trusted CDNs like Cloudflare have the library hosted on their cdnjs. Lastly, conduct a continuous security update on a third-party library and additionally implement a CSP rule to prevent some possibility of JS code injection.
Conclusion
In this article, we covered a supply chain attack issue initially published by Sansec on the Polyfill library that could potentially inject a malicious JS code into websites via compromised domains. We then analyzed the effect of this issue on the WordPress repository and found components that are known or still use a code implementation that tries to embed a script from the compromised domains.
Help us make the Internet a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you’re a plugin developer, join our mVDP program that makes it easier to report, manage, and address vulnerabilities in your software.
- If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.