2024 年 6 月 25 日,Sansec发布了有关 Polyfill 供应链攻击的安全公告文章。
介绍
Polyfill.js 是一个流行的 JavaScript 库,它为不支持它的旧版浏览器提供了现代功能。Polyfill.js 的实现主要以脚本的形式附加到 HTML 标记中。这允许代码运行动态操作过程以在使用它的网站上执行 JS 代码。此库实现主要使用托管在*.polyfill.io或特别是cdn.polyfill.io上的脚本。
问题
不幸的是,polyfill.io域名本身已被一家名为 Funnull 的中国公司收购。据Sansec称,已确认该域名的脚本试图将恶意 JS 代码注入托管在该域名上的 Polyfill 库。此问题可能导致跨站点脚本 (XSS) 漏洞,恶意行为者可以执行 JS 代码来窃取用户的数据,在网站上执行不必要的操作,以及执行其他操作,例如将用户重定向到可疑网站。从Sansec的分析中可以看出,恶意代码试图将用户重定向到体育博彩网站。
Sansec表示,一些被同一攻击者入侵并托管恶意 JS 代码的域名包括:
- *.polyfill.io (cdn.polyfill.io)
- bootcdn.net
- bootcss.com
- staticfile.net
- staticfile.org
- unionadjs.com
- xhsbpza.com
- union.macoms.la
- newcrbpc.com
对 WordPress 生态系统的影响
我们尝试分析 WordPress 存储库并搜索已知或仍有代码嵌入上述受影响域中的脚本的插件和主题。由于大多数受影响的域已被关闭,因此此问题的影响非常小,并且它更多地被视为风险而不是可直接利用的漏洞。但是,受影响的域将来可能会处于活动状态。我们还将此作为数据库中的漏洞条目,并将补丁优先级设置为低。
以下是我们发现的受影响插件的 JSON 列表:
[
{
"name":"Amelia",
"slug":"ameliabooking",
"type":"plugin",
"affected_version":"<= 1.1.8",
"patched_version":null
},
{
"name":"WP User Frontend",
"slug":"wp-user-frontend",
"type":"plugin",
"affected_version":"<= 4.0.7",
"patched_version":null
},
{
"name":"Product Customer List for WooCommerce",
"slug":"wc-product-customer-list",
"type":"plugin",
"affected_version":"<= 3.1.6",
"patched_version":"3.1.7"
},
{
"name":"Word Balloon",
"slug":"word-balloon",
"type":"plugin",
"affected_version":"<= 4.22.1",
"patched_version":"4.22.2"
},
{
"name":"Sentry",
"slug":"wp-sentry-integration",
"type":"plugin",
"affected_version":"<= 7.8.0",
"patched_version":"7.9.0"
},
{
"name":"YITH WooCommerce Affiliates",
"slug":"yith-woocommerce-affiliates",
"type":"plugin",
"affected_version":"<= 3.8.0",
"patched_version":"3.8.1"
},
{
"name":"FireBox",
"slug":"firebox",
"type":"plugin",
"affected_version":"<= 2.1.15",
"patched_version":"2.1.16"
},
{
"name":"YAHMAN Add-ons",
"slug":"yahman-add-ons",
"type":"plugin",
"affected_version":"<= 0.9.28",
"patched_version":"0.9.29"
},
{
"name":"Tooltip for Gravity Forms",
"slug":"tooltip-for-gravity-forms",
"type":"plugin",
"affected_version":"<= 2.9",
"patched_version":null
},
{
"name":"Taager",
"slug":"taager",
"type":"plugin",
"affected_version":"<= 1.16.0",
"patched_version":null
},
{
"name":"TotalSurvey",
"slug":"totalsurvey",
"type":"plugin",
"affected_version":"<= 1.9.3",
"patched_version":null
},
{
"name":"Weight Tracker",
"slug":"weight-loss-tracker",
"type":"plugin",
"affected_version":"<= 10.8.3",
"patched_version":null
},
{
"name":"Meal Tracker",
"slug":"meal-tracker",
"type":"plugin",
"affected_version":"<= 3.1.6",
"patched_version":null
},
{
"name":"TotalRating Pro",
"slug":"totalrating",
"type":"plugin",
"affected_version":"<= 1.8.4",
"patched_version":null
},
{
"name":"Amelia Shortcode Extended",
"slug":"theidealweb-amelia-shortcode-extended",
"type":"plugin",
"affected_version":"<= 1.6",
"patched_version":null
},
{
"name":"Logic Hop",
"slug":"logic-hop",
"type":"plugin",
"affected_version":"<= 3.8.8",
"patched_version":null
},
{
"name":"ShipAny",
"slug":"shipany",
"type":"plugin",
"affected_version":"<= 1.1.51",
"patched_version":null
},
{
"name":"Integration for Luminate and Gravity Forms",
"slug":"integration-for-luminate-and-gravity-forms",
"type":"plugin",
"affected_version":"<= 1.3.3",
"patched_version":"1.3.4"
},
{
"name":"WebSitter Pro",
"slug":"triagetrak",
"type":"plugin",
"affected_version":"<= 4.0.11",
"patched_version":null
},
{
"name":"Viva Payments",
"slug":"viva-payments-simple-checkout",
"type":"plugin",
"affected_version":"<= 1.2",
"patched_version":null
},
{
"name":"CommandBar for WP Admin",
"slug":"commandbar-for-wp-admin",
"type":"plugin",
"affected_version":"<= 1.0.7",
"patched_version":null
},
{
"name":"alfred24 Click & Collect",
"slug":"alfred-click-collect",
"type":"plugin",
"affected_version":"<= 1.1.7",
"patched_version":null
},
{
"name":"Qualified Electronic Signatures by eID Easy",
"slug":"eid-easy-qualified-electonic-signature",
"type":"plugin",
"affected_version":"<= 3.3.0",
"patched_version":null
},
{
"name":"Digital River Global Commerce",
"slug":"digital-river-global-commerce",
"type":"plugin",
"affected_version":"<= 2.0.2",
"patched_version":null
},
{
"name":"ADDRESSYA",
"slug":"addressya-for-woocommerce",
"type":"plugin",
"affected_version":"<= 3.1.1",
"patched_version":null
},
{
"name":"Contact Form by TotalForm",
"slug":"totalform",
"type":"plugin",
"affected_version":"<= 1.0.0",
"patched_version":null
},
{
"name":"Alfred Easy Shipping",
"slug":"alfred-easy-shipping",
"type":"plugin",
"affected_version":"<= 1.0.5",
"patched_version":null
},
{
"name":"Field Day",
"slug":"activityhub",
"type":"plugin",
"affected_version":"<= 3.3.8",
"patched_version":null
},
{
"name":"Jobs.af",
"slug":"jobs-af",
"type":"plugin",
"affected_version":"<= 1.0.1",
"patched_version":null
},
{
"name":"Pixel Manager for WooCommerce",
"slug":"woocommerce-google-adwords-conversion-tracking-tag",
"type":"plugin",
"affected_version":"<= 1.43.3",
"patched_version":"1.43.4"
},
{
"name":"weForms",
"slug":"weforms",
"type":"plugin",
"affected_version":"<= 1.6.23",
"patched_version":null
},
{
"name":"OpenStreetMap for Gutenberg and WPBakery Page Builder",
"slug":"stepbyteservice-openstreetmap",
"type":"plugin",
"affected_version":"<= 1.1.2",
"patched_version":null
},
{
"name":"WPJAM Basic",
"slug":"wpjam-basic",
"type":"plugin",
"affected_version":"<= 6.5.4.1",
"patched_version":null
},
{
"name":"nicen-localize-image",
"slug":"nicen-localize-image",
"type":"plugin",
"affected_version":"<= 1.4.0",
"patched_version":null
},
{
"name":"Mine Video Player",
"slug":"mine-video",
"type":"plugin",
"affected_version":"<= 2.8.11",
"patched_version":null
},
{
"name":"Canvas-Nest.js",
"slug":"canvas-nestjs",
"type":"plugin",
"affected_version":"<= 1.0.1",
"patched_version":null
},
{
"name":"WS Theme Addons",
"slug":"ws-theme-addons",
"type":"plugin",
"affected_version":"<= 2.0.0",
"patched_version":null
},
{
"name":"Magic Conversation For Gravity Forms",
"slug":"magic-conversation-for-gravity-forms",
"type":"plugin",
"affected_version":"<= 3.0.94",
"patched_version":null
},
{
"name":"wp-code-highlightjs",
"slug":"wp-code-highlightjs",
"type":"plugin",
"affected_version":"<= 0.6.3",
"patched_version":null
},
{
"name":"Ideaplus",
"slug":"ideaplus",
"type":"plugin",
"affected_version":"<= 1.0.5",
"patched_version":null
},
{
"name":"Easy Speedup by PageCDN",
"slug":"pagecdn",
"type":"plugin",
"affected_version":"<= 5.14",
"patched_version":null
},
{
"name":"Social Warfare",
"slug":"social-warfare",
"type":"plugin",
"affected_version":"<= 4.4.7.1",
"patched_version":"4.4.7.3"
},
{
"name":"Blaze Widget",
"slug":"blaze-widget",
"type":"plugin",
"affected_version":"<= 2.5.2",
"patched_version":"2.5.4"
},
{
"name":"Contact Form 7 Multi-Step Addon",
"slug":"contact-form-7-multi-step-addon",
"type":"plugin",
"affected_version":"<= 1.0.5",
"patched_version":"1.0.7"
},
{
"name":"Simply Show Hooks",
"slug":"simply-show-hooks",
"type":"plugin",
"affected_version":"<= 1.2.1",
"patched_version":null
}
]请注意,如果有修补版本发布或者有任何附加或更新的条目,上述列表可能会发生变化。
推荐补丁
我们建议从受感染的域中删除试图嵌入脚本的代码。如果仍然需要 Polyfill 库中的功能,一些受信任的 CDN(如Cloudflare)会将该库托管在其 cdnjs 上。最后,对第三方库进行持续的安全更新,并另外实施 CSP 规则以防止 JS 代码注入的可能性。
结论
在本文中,我们介绍了Sansec最初发布的有关 Polyfill 库的供应链攻击问题,该问题可能会通过受感染的域将恶意 JS 代码注入网站。然后,我们分析了此问题对 WordPress 存储库的影响,并发现了已知或仍在使用试图嵌入受感染域中的脚本的代码实现的组件。
