Login/Register
(Handle Polyfill.io Security-Alert) How do you detect if a big npm Codebase uses Polyfill.io somewhere?
Asked Answered
javascriptsecuritynpmbabeljspolyfills
C

1

16

Polyfill.io is malicious: https://dev.to/snyk/polyfill-supply-chain-attack-embeds-malware-in-javascript-cdn-assets-55d6

I now need to find it my codebase:

I used: grep -r "polyfill.io" to quickly find the obvious and I checked the Network Traffic of the website.

Network Traffic is however not an exhaustive method to find every polyfill.

How do I efficiently check:

Caecilian answered 27/6 at 8:10 Comment(3)
I used npmgraph.js.org to check all my deps of my appsGoddord
@Caecilian Any luck on this ?Indeclinable
@Indeclinable Unfortunately no. I think though that grep -r "polyfill.io" would find a lot in package-lock.json and node-modules too. But I am not sure about the dynamically loaded stuff.Caecilian
C
0

You can use Zaproxy to scan a website for the use of the polyfill[.]io domain. No need to install ZAP, just run a one liner to run the check with a docker container:

docker run -t zaproxy/zap-stable zap.sh -cmd -addoninstall pscanrulesBeta -zapit https://www.example.com/

You can specify as many URLs you like: -zapit https://www.example1.com -zapit http://example2.com/

See https://www.zaproxy.org/blog/2024-06-27-polyfill.io-script-detection/

Clunk answered 2/7 at 11:45 Comment(2)
How does that work with pages that are protected by some authentication system? (meaning you need to login before you see the page)Caecilian
@Caecilian i haven't tried that but have a look over here: adrianhesketh.com/2020/07/07/…Clunk

© 2022 - 2024 — McMap. All rights reserved.